Uploaded image for project: 'Tapestry'
  1. Tapestry
  2. TAPESTRY-1915

AssetEncoder doesn't handle invalid paths missing a digest

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 4.1.1, 4.1.2, 4.1.3, 4.1.5
    • Fix Version/s: 4.1.6
    • Component/s: Framework
    • Labels:
      None

      Description

      AssetEncoder.decode() has this line:

      int slashx = pathInfo.indexOf('/', 1);

      but never checks for slashx == -1 before using it in:

      encoding.setParameterValue(AssetService.DIGEST, pathInfo.substring(1, slashx));

      which, if the URL didn't have another slash after "assets/", causes a StringIndexOutOfBoundsException at runtime. Some automated security testing tools flag the resulting stack trace in the response as a potential risk, and it just looks bad, even though the URL was not one generated by AssetEncoder, but one obviously manipulated manually somehow.

        Attachments

          Activity

            People

            • Assignee:
              andyhot Andreas Andreou
              Reporter:
              gwoolsey Greg Woolsey
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: