Tapestry
  1. Tapestry
  2. TAPESTRY-1915

AssetEncoder doesn't handle invalid paths missing a digest

    Details

    • Type: Improvement Improvement
    • Status: Resolved
    • Priority: Minor Minor
    • Resolution: Fixed
    • Affects Version/s: 4.1.1, 4.1.2, 4.1.3, 4.1.5
    • Fix Version/s: 4.1.6
    • Component/s: Framework
    • Labels:
      None

      Description

      AssetEncoder.decode() has this line:

      int slashx = pathInfo.indexOf('/', 1);

      but never checks for slashx == -1 before using it in:

      encoding.setParameterValue(AssetService.DIGEST, pathInfo.substring(1, slashx));

      which, if the URL didn't have another slash after "assets/", causes a StringIndexOutOfBoundsException at runtime. Some automated security testing tools flag the resulting stack trace in the response as a potential risk, and it just looks bad, even though the URL was not one generated by AssetEncoder, but one obviously manipulated manually somehow.

        Activity

          People

          • Assignee:
            Andreas Andreou
            Reporter:
            Greg Woolsey
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development