Ready for 5.6.0? Any blockers?

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

Ready for 5.6.0? Any blockers?

Thiago H de Paula Figueiredo
Hello, everyone!

I'd like to release Tapestry 5.6.0 as soon as possible. There's a security
improvement and support for Java 14 bytecode. Anything else you believe is
a blocker this release?

Here are the tickets included in the 5.6.0 release:

[image: Critical] [image: Bug] TAP5-2602
<https://issues.apache.org/jira/browse/TAP5-2602> 5.4 LinkSubmit does not
work with Prototype JS <https://issues.apache.org/jira/browse/TAP5-2602> Thiago
Henrique De Paula Figueiredo
<https://issues.apache.org/jira/secure/ViewProfile.jspa?name=thiagohp>
CLOSED
[image: Major] [image: Improvement] TAP5-2624
<https://issues.apache.org/jira/browse/TAP5-2624> Support Java 14 bytecode
by upgrading embedded ASM version to 8.0.1
<https://issues.apache.org/jira/browse/TAP5-2624> Thiago Henrique De Paula
Figueiredo
<https://issues.apache.org/jira/secure/ViewProfile.jspa?name=thiagohp>
RESOLVED
[image: Major] [image: Improvement] TAP5-2631
<https://issues.apache.org/jira/browse/TAP5-2631> Make Tapestry forms more
accessible with automatic generation WAI-ARIA attributes
<https://issues.apache.org/jira/browse/TAP5-2631> Thiago Henrique De Paula
Figueiredo
<https://issues.apache.org/jira/secure/ViewProfile.jspa?name=thiagohp>
CLOSED
[image: Major] [image: Bug] TAP5-2632
<https://issues.apache.org/jira/browse/TAP5-2632> ContextAssetRequestHandler
doesn't handle slashes in paths correctly
<https://issues.apache.org/jira/browse/TAP5-2632> Thiago Henrique De Paula
Figueiredo
<https://issues.apache.org/jira/secure/ViewProfile.jspa?name=thiagohp>
RESOLVED
[image: Minor] [image: Improvement] TAP5-2626
<https://issues.apache.org/jira/browse/TAP5-2626> Update Closure Compiler
to latest version available (v20200628)
<https://issues.apache.org/jira/browse/TAP5-2626> Thiago Henrique De Paula
Figueiredo
<https://issues.apache.org/jira/secure/ViewProfile.jspa?name=thiagohp>
CLOSED

--
Thiago
Reply | Threaded
Open this post in threaded view
|

Re: Ready for 5.6.0? Any blockers?

bobharner
None from me

On Sun, Jul 19, 2020, 11:34 AM Thiago H. de Paula Figueiredo <
[hidden email]> wrote:

> Hello, everyone!
>
> I'd like to release Tapestry 5.6.0 as soon as possible. There's a security
> improvement and support for Java 14 bytecode. Anything else you believe is
> a blocker this release?
>
> Here are the tickets included in the 5.6.0 release:
>
> [image: Critical] [image: Bug] TAP5-2602
> <https://issues.apache.org/jira/browse/TAP5-2602> 5.4 LinkSubmit does not
> work with Prototype JS <https://issues.apache.org/jira/browse/TAP5-2602>
> Thiago
> Henrique De Paula Figueiredo
> <https://issues.apache.org/jira/secure/ViewProfile.jspa?name=thiagohp>
> CLOSED
> [image: Major] [image: Improvement] TAP5-2624
> <https://issues.apache.org/jira/browse/TAP5-2624> Support Java 14 bytecode
> by upgrading embedded ASM version to 8.0.1
> <https://issues.apache.org/jira/browse/TAP5-2624> Thiago Henrique De Paula
> Figueiredo
> <https://issues.apache.org/jira/secure/ViewProfile.jspa?name=thiagohp>
> RESOLVED
> [image: Major] [image: Improvement] TAP5-2631
> <https://issues.apache.org/jira/browse/TAP5-2631> Make Tapestry forms more
> accessible with automatic generation WAI-ARIA attributes
> <https://issues.apache.org/jira/browse/TAP5-2631> Thiago Henrique De Paula
> Figueiredo
> <https://issues.apache.org/jira/secure/ViewProfile.jspa?name=thiagohp>
> CLOSED
> [image: Major] [image: Bug] TAP5-2632
> <https://issues.apache.org/jira/browse/TAP5-2632>
> ContextAssetRequestHandler
> doesn't handle slashes in paths correctly
> <https://issues.apache.org/jira/browse/TAP5-2632> Thiago Henrique De Paula
> Figueiredo
> <https://issues.apache.org/jira/secure/ViewProfile.jspa?name=thiagohp>
> RESOLVED
> [image: Minor] [image: Improvement] TAP5-2626
> <https://issues.apache.org/jira/browse/TAP5-2626> Update Closure Compiler
> to latest version available (v20200628)
> <https://issues.apache.org/jira/browse/TAP5-2626> Thiago Henrique De Paula
> Figueiredo
> <https://issues.apache.org/jira/secure/ViewProfile.jspa?name=thiagohp>
> CLOSED
>
> --
> Thiago
>
Reply | Threaded
Open this post in threaded view
|

Re: Ready for 5.6.0? Any blockers?

Dmitry Gusev
Missed this, not from me also.

On Wednesday, July 22, 2020, Bob Harner <[hidden email]> wrote:

> None from me
>
> On Sun, Jul 19, 2020, 11:34 AM Thiago H. de Paula Figueiredo <
> [hidden email]> wrote:
>
> > Hello, everyone!
> >
> > I'd like to release Tapestry 5.6.0 as soon as possible. There's a
> security
> > improvement and support for Java 14 bytecode. Anything else you believe
> is
> > a blocker this release?
> >
> > Here are the tickets included in the 5.6.0 release:
> >
> > [image: Critical] [image: Bug] TAP5-2602
> > <https://issues.apache.org/jira/browse/TAP5-2602> 5.4 LinkSubmit does
> not
> > work with Prototype JS <https://issues.apache.org/jira/browse/TAP5-2602>
> > Thiago
> > Henrique De Paula Figueiredo
> > <https://issues.apache.org/jira/secure/ViewProfile.jspa?name=thiagohp>
> > CLOSED
> > [image: Major] [image: Improvement] TAP5-2624
> > <https://issues.apache.org/jira/browse/TAP5-2624> Support Java 14
> bytecode
> > by upgrading embedded ASM version to 8.0.1
> > <https://issues.apache.org/jira/browse/TAP5-2624> Thiago Henrique De
> Paula
> > Figueiredo
> > <https://issues.apache.org/jira/secure/ViewProfile.jspa?name=thiagohp>
> > RESOLVED
> > [image: Major] [image: Improvement] TAP5-2631
> > <https://issues.apache.org/jira/browse/TAP5-2631> Make Tapestry forms
> more
> > accessible with automatic generation WAI-ARIA attributes
> > <https://issues.apache.org/jira/browse/TAP5-2631> Thiago Henrique De
> Paula
> > Figueiredo
> > <https://issues.apache.org/jira/secure/ViewProfile.jspa?name=thiagohp>
> > CLOSED
> > [image: Major] [image: Bug] TAP5-2632
> > <https://issues.apache.org/jira/browse/TAP5-2632>
> > ContextAssetRequestHandler
> > doesn't handle slashes in paths correctly
> > <https://issues.apache.org/jira/browse/TAP5-2632> Thiago Henrique De
> Paula
> > Figueiredo
> > <https://issues.apache.org/jira/secure/ViewProfile.jspa?name=thiagohp>
> > RESOLVED
> > [image: Minor] [image: Improvement] TAP5-2626
> > <https://issues.apache.org/jira/browse/TAP5-2626> Update Closure
> Compiler
> > to latest version available (v20200628)
> > <https://issues.apache.org/jira/browse/TAP5-2626> Thiago Henrique De
> Paula
> > Figueiredo
> > <https://issues.apache.org/jira/secure/ViewProfile.jspa?name=thiagohp>
> > CLOSED
> >
> > --
> > Thiago
> >
>


--
Dmitry Gusev

AnjLab Team
http://anjlab.com
Reply | Threaded
Open this post in threaded view
|

Re: Ready for 5.6.0? Any blockers?

David Taylor
In reply to this post by Thiago H de Paula Figueiredo
Hello Everyone,

We are very interested in seeing the 5.6.0 update out the door and
decided to test out the patch for TAP5-2632. In the course of doing so
we found another related issue.

When the path /assets/META-INF is entered in the browser it causes a
StringIndexOutOfBoundsException in the constructor of the ChecksumPath
class since the code does not guard against the possibility that indexOf
will not find a match. Below is the offending code and the exception.

  It seems that this needs to get patched to harden the application
against bad input which is apparently very easy to devise. That was
actually the first test string entered when testing the patch. Clearly
Tapestry should not be responding to bad input with an exception.

int slashx = extraPath.indexOf('/');

java.lang.StringIndexOutOfBoundsException
begin 0, end -1, length 8

Best Regards,
David Taylor

On 7/19/2020 11:33 AM, Thiago H. de Paula Figueiredo wrote:

> Hello, everyone!
>
> I'd like to release Tapestry 5.6.0 as soon as possible. There's a security
> improvement and support for Java 14 bytecode. Anything else you believe is
> a blocker this release?
>
> Here are the tickets included in the 5.6.0 release:
>
> [image: Critical] [image: Bug] TAP5-2602
> <https://issues.apache.org/jira/browse/TAP5-2602> 5.4 LinkSubmit does not
> work with Prototype JS <https://issues.apache.org/jira/browse/TAP5-2602> Thiago
> Henrique De Paula Figueiredo
> <https://issues.apache.org/jira/secure/ViewProfile.jspa?name=thiagohp>
> CLOSED
> [image: Major] [image: Improvement] TAP5-2624
> <https://issues.apache.org/jira/browse/TAP5-2624> Support Java 14 bytecode
> by upgrading embedded ASM version to 8.0.1
> <https://issues.apache.org/jira/browse/TAP5-2624> Thiago Henrique De Paula
> Figueiredo
> <https://issues.apache.org/jira/secure/ViewProfile.jspa?name=thiagohp>
> RESOLVED
> [image: Major] [image: Improvement] TAP5-2631
> <https://issues.apache.org/jira/browse/TAP5-2631> Make Tapestry forms more
> accessible with automatic generation WAI-ARIA attributes
> <https://issues.apache.org/jira/browse/TAP5-2631> Thiago Henrique De Paula
> Figueiredo
> <https://issues.apache.org/jira/secure/ViewProfile.jspa?name=thiagohp>
> CLOSED
> [image: Major] [image: Bug] TAP5-2632
> <https://issues.apache.org/jira/browse/TAP5-2632> ContextAssetRequestHandler
> doesn't handle slashes in paths correctly
> <https://issues.apache.org/jira/browse/TAP5-2632> Thiago Henrique De Paula
> Figueiredo
> <https://issues.apache.org/jira/secure/ViewProfile.jspa?name=thiagohp>
> RESOLVED
> [image: Minor] [image: Improvement] TAP5-2626
> <https://issues.apache.org/jira/browse/TAP5-2626> Update Closure Compiler
> to latest version available (v20200628)
> <https://issues.apache.org/jira/browse/TAP5-2626> Thiago Henrique De Paula
> Figueiredo
> <https://issues.apache.org/jira/secure/ViewProfile.jspa?name=thiagohp>
> CLOSED
>



---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Ready for 5.6.0? Any blockers?

David Taylor
FYI - The following modifications to ChecksumPath prevent the
StringIndexOutOfBoundsException and allow the server to respond with a
404 error.

     public ChecksumPath(ResourceStreamer streamer, String baseFolder,
String extraPath)
     {
         this.streamer = streamer;
         int slashx = extraPath.indexOf('/');

         checksum = slashx != -1 ? extraPath.substring(0, slashx) :
extraPath;

         String morePath = slashx != -1 ? extraPath.substring(slashx +
1) : "";

         resourcePath = baseFolder == null
           ? morePath
           : baseFolder + "/" + morePath;
     }



emailsig
On 7/23/2020 11:39 PM, David Taylor wrote:

> Hello Everyone,
>
> We are very interested in seeing the 5.6.0 update out the door and
> decided to test out the patch for TAP5-2632. In the course of doing so
> we found another related issue.
>
> When the path /assets/META-INF is entered in the browser it causes a
> StringIndexOutOfBoundsException in the constructor of the ChecksumPath
> class since the code does not guard against the possibility that
> indexOf will not find a match. Below is the offending code and the
> exception.
>
>  It seems that this needs to get patched to harden the application
> against bad input which is apparently very easy to devise. That was
> actually the first test string entered when testing the patch. Clearly
> Tapestry should not be responding to bad input with an exception.
>
> int slashx = extraPath.indexOf('/');
>
> java.lang.StringIndexOutOfBoundsException
> begin 0, end -1, length 8
>
> Best Regards,
> David Taylor
>
> On 7/19/2020 11:33 AM, Thiago H. de Paula Figueiredo wrote:
>> Hello, everyone!
>>
>> I'd like to release Tapestry 5.6.0 as soon as possible. There's a
>> security
>> improvement and support for Java 14 bytecode. Anything else you
>> believe is
>> a blocker this release?
>>
>> Here are the tickets included in the 5.6.0 release:
>>
>> [image: Critical] [image: Bug] TAP5-2602
>> <https://issues.apache.org/jira/browse/TAP5-2602> 5.4 LinkSubmit does
>> not
>> work with Prototype JS
>> <https://issues.apache.org/jira/browse/TAP5-2602> Thiago
>> Henrique De Paula Figueiredo
>> <https://issues.apache.org/jira/secure/ViewProfile.jspa?name=thiagohp>
>> CLOSED
>> [image: Major] [image: Improvement] TAP5-2624
>> <https://issues.apache.org/jira/browse/TAP5-2624> Support Java 14
>> bytecode
>> by upgrading embedded ASM version to 8.0.1
>> <https://issues.apache.org/jira/browse/TAP5-2624> Thiago Henrique De
>> Paula
>> Figueiredo
>> <https://issues.apache.org/jira/secure/ViewProfile.jspa?name=thiagohp>
>> RESOLVED
>> [image: Major] [image: Improvement] TAP5-2631
>> <https://issues.apache.org/jira/browse/TAP5-2631> Make Tapestry forms
>> more
>> accessible with automatic generation WAI-ARIA attributes
>> <https://issues.apache.org/jira/browse/TAP5-2631> Thiago Henrique De
>> Paula
>> Figueiredo
>> <https://issues.apache.org/jira/secure/ViewProfile.jspa?name=thiagohp>
>> CLOSED
>> [image: Major] [image: Bug] TAP5-2632
>> <https://issues.apache.org/jira/browse/TAP5-2632>
>> ContextAssetRequestHandler
>> doesn't handle slashes in paths correctly
>> <https://issues.apache.org/jira/browse/TAP5-2632> Thiago Henrique De
>> Paula
>> Figueiredo
>> <https://issues.apache.org/jira/secure/ViewProfile.jspa?name=thiagohp>
>> RESOLVED
>> [image: Minor] [image: Improvement] TAP5-2626
>> <https://issues.apache.org/jira/browse/TAP5-2626> Update Closure
>> Compiler
>> to latest version available (v20200628)
>> <https://issues.apache.org/jira/browse/TAP5-2626> Thiago Henrique De
>> Paula
>> Figueiredo
>> <https://issues.apache.org/jira/secure/ViewProfile.jspa?name=thiagohp>
>> CLOSED
>>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>



---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Ready for 5.6.0? Any blockers?

Thiago H de Paula Figueiredo
In reply to this post by David Taylor
On Fri, Jul 24, 2020 at 12:39 AM David Taylor <[hidden email]>
wrote:

> Hello Everyone,
>

Hello!


> We are very interested in seeing the 5.6.0 update


So do I, so I'm planning to get a release ready for voting soon.


> out the door and
> decided to test out the patch for TAP5-2632. In the course of doing so
> we found another related issue.
>

Thanks for testing!


> When the path /assets/META-INF is entered in the browser it causes a
> StringIndexOutOfBoundsException in the constructor of the ChecksumPath
> class since the code does not guard against the possibility that indexOf
> will not find a match. Below is the offending code and the exception.
>
>   It seems that this needs to get patched to harden the application
> against bad input which is apparently very easy to devise. That was
> actually the first test string entered when testing the patch. Clearly
> Tapestry should not be responding to bad input with an exception.
>
> int slashx = extraPath.indexOf('/');
>
> java.lang.StringIndexOutOfBoundsException
> begin 0, end -1, length 8
>

I'll take care of that.


>
> Best Regards,
> David Taylor
>
> On 7/19/2020 11:33 AM, Thiago H. de Paula Figueiredo wrote:
> > Hello, everyone!
> >
> > I'd like to release Tapestry 5.6.0 as soon as possible. There's a
> security
> > improvement and support for Java 14 bytecode. Anything else you believe
> is
> > a blocker this release?
> >
> > Here are the tickets included in the 5.6.0 release:
> >
> > [image: Critical] [image: Bug] TAP5-2602
> > <https://issues.apache.org/jira/browse/TAP5-2602> 5.4 LinkSubmit does
> not
> > work with Prototype JS <https://issues.apache.org/jira/browse/TAP5-2602>
> Thiago
> > Henrique De Paula Figueiredo
> > <https://issues.apache.org/jira/secure/ViewProfile.jspa?name=thiagohp>
> > CLOSED
> > [image: Major] [image: Improvement] TAP5-2624
> > <https://issues.apache.org/jira/browse/TAP5-2624> Support Java 14
> bytecode
> > by upgrading embedded ASM version to 8.0.1
> > <https://issues.apache.org/jira/browse/TAP5-2624> Thiago Henrique De
> Paula
> > Figueiredo
> > <https://issues.apache.org/jira/secure/ViewProfile.jspa?name=thiagohp>
> > RESOLVED
> > [image: Major] [image: Improvement] TAP5-2631
> > <https://issues.apache.org/jira/browse/TAP5-2631> Make Tapestry forms
> more
> > accessible with automatic generation WAI-ARIA attributes
> > <https://issues.apache.org/jira/browse/TAP5-2631> Thiago Henrique De
> Paula
> > Figueiredo
> > <https://issues.apache.org/jira/secure/ViewProfile.jspa?name=thiagohp>
> > CLOSED
> > [image: Major] [image: Bug] TAP5-2632
> > <https://issues.apache.org/jira/browse/TAP5-2632>
> ContextAssetRequestHandler
> > doesn't handle slashes in paths correctly
> > <https://issues.apache.org/jira/browse/TAP5-2632> Thiago Henrique De
> Paula
> > Figueiredo
> > <https://issues.apache.org/jira/secure/ViewProfile.jspa?name=thiagohp>
> > RESOLVED
> > [image: Minor] [image: Improvement] TAP5-2626
> > <https://issues.apache.org/jira/browse/TAP5-2626> Update Closure
> Compiler
> > to latest version available (v20200628)
> > <https://issues.apache.org/jira/browse/TAP5-2626> Thiago Henrique De
> Paula
> > Figueiredo
> > <https://issues.apache.org/jira/secure/ViewProfile.jspa?name=thiagohp>
> > CLOSED
> >
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>

--
Thiago
Reply | Threaded
Open this post in threaded view
|

Re: Ready for 5.6.0? Any blockers?

Thiago H de Paula Figueiredo
In reply to this post by David Taylor
Thanks! I ended up fixing this is a slightly different manner and committed
the fix.

On Fri, Jul 24, 2020 at 1:11 AM David Taylor <[hidden email]>
wrote:

> FYI - The following modifications to ChecksumPath prevent the
> StringIndexOutOfBoundsException and allow the server to respond with a
> 404 error.
>
>      public ChecksumPath(ResourceStreamer streamer, String baseFolder,
> String extraPath)
>      {
>          this.streamer = streamer;
>          int slashx = extraPath.indexOf('/');
>
>          checksum = slashx != -1 ? extraPath.substring(0, slashx) :
> extraPath;
>
>          String morePath = slashx != -1 ? extraPath.substring(slashx +
> 1) : "";
>
>          resourcePath = baseFolder == null
>            ? morePath
>            : baseFolder + "/" + morePath;
>      }
>
>
>
> emailsig
> On 7/23/2020 11:39 PM, David Taylor wrote:
> > Hello Everyone,
> >
> > We are very interested in seeing the 5.6.0 update out the door and
> > decided to test out the patch for TAP5-2632. In the course of doing so
> > we found another related issue.
> >
> > When the path /assets/META-INF is entered in the browser it causes a
> > StringIndexOutOfBoundsException in the constructor of the ChecksumPath
> > class since the code does not guard against the possibility that
> > indexOf will not find a match. Below is the offending code and the
> > exception.
> >
> >  It seems that this needs to get patched to harden the application
> > against bad input which is apparently very easy to devise. That was
> > actually the first test string entered when testing the patch. Clearly
> > Tapestry should not be responding to bad input with an exception.
> >
> > int slashx = extraPath.indexOf('/');
> >
> > java.lang.StringIndexOutOfBoundsException
> > begin 0, end -1, length 8
> >
> > Best Regards,
> > David Taylor
> >
> > On 7/19/2020 11:33 AM, Thiago H. de Paula Figueiredo wrote:
> >> Hello, everyone!
> >>
> >> I'd like to release Tapestry 5.6.0 as soon as possible. There's a
> >> security
> >> improvement and support for Java 14 bytecode. Anything else you
> >> believe is
> >> a blocker this release?
> >>
> >> Here are the tickets included in the 5.6.0 release:
> >>
> >> [image: Critical] [image: Bug] TAP5-2602
> >> <https://issues.apache.org/jira/browse/TAP5-2602> 5.4 LinkSubmit does
> >> not
> >> work with Prototype JS
> >> <https://issues.apache.org/jira/browse/TAP5-2602> Thiago
> >> Henrique De Paula Figueiredo
> >> <https://issues.apache.org/jira/secure/ViewProfile.jspa?name=thiagohp>
> >> CLOSED
> >> [image: Major] [image: Improvement] TAP5-2624
> >> <https://issues.apache.org/jira/browse/TAP5-2624> Support Java 14
> >> bytecode
> >> by upgrading embedded ASM version to 8.0.1
> >> <https://issues.apache.org/jira/browse/TAP5-2624> Thiago Henrique De
> >> Paula
> >> Figueiredo
> >> <https://issues.apache.org/jira/secure/ViewProfile.jspa?name=thiagohp>
> >> RESOLVED
> >> [image: Major] [image: Improvement] TAP5-2631
> >> <https://issues.apache.org/jira/browse/TAP5-2631> Make Tapestry forms
> >> more
> >> accessible with automatic generation WAI-ARIA attributes
> >> <https://issues.apache.org/jira/browse/TAP5-2631> Thiago Henrique De
> >> Paula
> >> Figueiredo
> >> <https://issues.apache.org/jira/secure/ViewProfile.jspa?name=thiagohp>
> >> CLOSED
> >> [image: Major] [image: Bug] TAP5-2632
> >> <https://issues.apache.org/jira/browse/TAP5-2632>
> >> ContextAssetRequestHandler
> >> doesn't handle slashes in paths correctly
> >> <https://issues.apache.org/jira/browse/TAP5-2632> Thiago Henrique De
> >> Paula
> >> Figueiredo
> >> <https://issues.apache.org/jira/secure/ViewProfile.jspa?name=thiagohp>
> >> RESOLVED
> >> [image: Minor] [image: Improvement] TAP5-2626
> >> <https://issues.apache.org/jira/browse/TAP5-2626> Update Closure
> >> Compiler
> >> to latest version available (v20200628)
> >> <https://issues.apache.org/jira/browse/TAP5-2626> Thiago Henrique De
> >> Paula
> >> Figueiredo
> >> <https://issues.apache.org/jira/secure/ViewProfile.jspa?name=thiagohp>
> >> CLOSED
> >>
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: [hidden email]
> > For additional commands, e-mail: [hidden email]
> >
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>

--
Thiago
Reply | Threaded
Open this post in threaded view
|

Re: Ready for 5.6.0? Any blockers?

David Taylor
Thanks. I will grab your changes and apply those to the patch we are
using for the current release.

David


On 7/26/2020 3:12 PM, Thiago H. de Paula Figueiredo wrote:

> Thanks! I ended up fixing this is a slightly different manner and committed
> the fix.
>
> On Fri, Jul 24, 2020 at 1:11 AM David Taylor <[hidden email]>
> wrote:
>
>> FYI - The following modifications to ChecksumPath prevent the
>> StringIndexOutOfBoundsException and allow the server to respond with a
>> 404 error.
>>
>>       public ChecksumPath(ResourceStreamer streamer, String baseFolder,
>> String extraPath)
>>       {
>>           this.streamer = streamer;
>>           int slashx = extraPath.indexOf('/');
>>
>>           checksum = slashx != -1 ? extraPath.substring(0, slashx) :
>> extraPath;
>>
>>           String morePath = slashx != -1 ? extraPath.substring(slashx +
>> 1) : "";
>>
>>           resourcePath = baseFolder == null
>>             ? morePath
>>             : baseFolder + "/" + morePath;
>>       }
>>
>>
>>
>> emailsig
>> On 7/23/2020 11:39 PM, David Taylor wrote:
>>> Hello Everyone,
>>>
>>> We are very interested in seeing the 5.6.0 update out the door and
>>> decided to test out the patch for TAP5-2632. In the course of doing so
>>> we found another related issue.
>>>
>>> When the path /assets/META-INF is entered in the browser it causes a
>>> StringIndexOutOfBoundsException in the constructor of the ChecksumPath
>>> class since the code does not guard against the possibility that
>>> indexOf will not find a match. Below is the offending code and the
>>> exception.
>>>
>>>   It seems that this needs to get patched to harden the application
>>> against bad input which is apparently very easy to devise. That was
>>> actually the first test string entered when testing the patch. Clearly
>>> Tapestry should not be responding to bad input with an exception.
>>>
>>> int slashx = extraPath.indexOf('/');
>>>
>>> java.lang.StringIndexOutOfBoundsException
>>> begin 0, end -1, length 8
>>>
>>> Best Regards,
>>> David Taylor
>>>
>>> On 7/19/2020 11:33 AM, Thiago H. de Paula Figueiredo wrote:
>>>> Hello, everyone!
>>>>
>>>> I'd like to release Tapestry 5.6.0 as soon as possible. There's a
>>>> security
>>>> improvement and support for Java 14 bytecode. Anything else you
>>>> believe is
>>>> a blocker this release?
>>>>
>>>> Here are the tickets included in the 5.6.0 release:
>>>>
>>>> [image: Critical] [image: Bug] TAP5-2602
>>>> <https://issues.apache.org/jira/browse/TAP5-2602> 5.4 LinkSubmit does
>>>> not
>>>> work with Prototype JS
>>>> <https://issues.apache.org/jira/browse/TAP5-2602> Thiago
>>>> Henrique De Paula Figueiredo
>>>> <https://issues.apache.org/jira/secure/ViewProfile.jspa?name=thiagohp>
>>>> CLOSED
>>>> [image: Major] [image: Improvement] TAP5-2624
>>>> <https://issues.apache.org/jira/browse/TAP5-2624> Support Java 14
>>>> bytecode
>>>> by upgrading embedded ASM version to 8.0.1
>>>> <https://issues.apache.org/jira/browse/TAP5-2624> Thiago Henrique De
>>>> Paula
>>>> Figueiredo
>>>> <https://issues.apache.org/jira/secure/ViewProfile.jspa?name=thiagohp>
>>>> RESOLVED
>>>> [image: Major] [image: Improvement] TAP5-2631
>>>> <https://issues.apache.org/jira/browse/TAP5-2631> Make Tapestry forms
>>>> more
>>>> accessible with automatic generation WAI-ARIA attributes
>>>> <https://issues.apache.org/jira/browse/TAP5-2631> Thiago Henrique De
>>>> Paula
>>>> Figueiredo
>>>> <https://issues.apache.org/jira/secure/ViewProfile.jspa?name=thiagohp>
>>>> CLOSED
>>>> [image: Major] [image: Bug] TAP5-2632
>>>> <https://issues.apache.org/jira/browse/TAP5-2632>
>>>> ContextAssetRequestHandler
>>>> doesn't handle slashes in paths correctly
>>>> <https://issues.apache.org/jira/browse/TAP5-2632> Thiago Henrique De
>>>> Paula
>>>> Figueiredo
>>>> <https://issues.apache.org/jira/secure/ViewProfile.jspa?name=thiagohp>
>>>> RESOLVED
>>>> [image: Minor] [image: Improvement] TAP5-2626
>>>> <https://issues.apache.org/jira/browse/TAP5-2626> Update Closure
>>>> Compiler
>>>> to latest version available (v20200628)
>>>> <https://issues.apache.org/jira/browse/TAP5-2626> Thiago Henrique De
>>>> Paula
>>>> Figueiredo
>>>> <https://issues.apache.org/jira/secure/ViewProfile.jspa?name=thiagohp>
>>>> CLOSED
>>>>
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: [hidden email]
>>> For additional commands, e-mail: [hidden email]
>>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [hidden email]
>> For additional commands, e-mail: [hidden email]
>>
>>



---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Ready for 5.6.0? Any blockers?

Thiago H de Paula Figueiredo
Hello, everyone!

I've just uploaded 5.6.0-SNAPSHOT to the Apache Maven staging repository to
make it easier for everyone to give it a spin without having to build from
source. Unless something really bad comes up, I should follow with putting
5.6.0 to a vote without any changes from this snapshot. My plan, which
everyone has a right to disagree, is to have major stuff deferred to 5.7.0.

Feedback of all kinds welcome, as usual.

On Mon, Jul 27, 2020 at 1:58 AM David Taylor <[hidden email]>
wrote:

> Thanks. I will grab your changes and apply those to the patch we are
> using for the current release.
>
> David
>
>
> On 7/26/2020 3:12 PM, Thiago H. de Paula Figueiredo wrote:
> > Thanks! I ended up fixing this is a slightly different manner and
> committed
> > the fix.
> >
> > On Fri, Jul 24, 2020 at 1:11 AM David Taylor <
> [hidden email]>
> > wrote:
> >
> >> FYI - The following modifications to ChecksumPath prevent the
> >> StringIndexOutOfBoundsException and allow the server to respond with a
> >> 404 error.
> >>
> >>       public ChecksumPath(ResourceStreamer streamer, String baseFolder,
> >> String extraPath)
> >>       {
> >>           this.streamer = streamer;
> >>           int slashx = extraPath.indexOf('/');
> >>
> >>           checksum = slashx != -1 ? extraPath.substring(0, slashx) :
> >> extraPath;
> >>
> >>           String morePath = slashx != -1 ? extraPath.substring(slashx +
> >> 1) : "";
> >>
> >>           resourcePath = baseFolder == null
> >>             ? morePath
> >>             : baseFolder + "/" + morePath;
> >>       }
> >>
> >>
> >>
> >> emailsig
> >> On 7/23/2020 11:39 PM, David Taylor wrote:
> >>> Hello Everyone,
> >>>
> >>> We are very interested in seeing the 5.6.0 update out the door and
> >>> decided to test out the patch for TAP5-2632. In the course of doing so
> >>> we found another related issue.
> >>>
> >>> When the path /assets/META-INF is entered in the browser it causes a
> >>> StringIndexOutOfBoundsException in the constructor of the ChecksumPath
> >>> class since the code does not guard against the possibility that
> >>> indexOf will not find a match. Below is the offending code and the
> >>> exception.
> >>>
> >>>   It seems that this needs to get patched to harden the application
> >>> against bad input which is apparently very easy to devise. That was
> >>> actually the first test string entered when testing the patch. Clearly
> >>> Tapestry should not be responding to bad input with an exception.
> >>>
> >>> int slashx = extraPath.indexOf('/');
> >>>
> >>> java.lang.StringIndexOutOfBoundsException
> >>> begin 0, end -1, length 8
> >>>
> >>> Best Regards,
> >>> David Taylor
> >>>
> >>> On 7/19/2020 11:33 AM, Thiago H. de Paula Figueiredo wrote:
> >>>> Hello, everyone!
> >>>>
> >>>> I'd like to release Tapestry 5.6.0 as soon as possible. There's a
> >>>> security
> >>>> improvement and support for Java 14 bytecode. Anything else you
> >>>> believe is
> >>>> a blocker this release?
> >>>>
> >>>> Here are the tickets included in the 5.6.0 release:
> >>>>
> >>>> [image: Critical] [image: Bug] TAP5-2602
> >>>> <https://issues.apache.org/jira/browse/TAP5-2602> 5.4 LinkSubmit does
> >>>> not
> >>>> work with Prototype JS
> >>>> <https://issues.apache.org/jira/browse/TAP5-2602> Thiago
> >>>> Henrique De Paula Figueiredo
> >>>> <https://issues.apache.org/jira/secure/ViewProfile.jspa?name=thiagohp
> >
> >>>> CLOSED
> >>>> [image: Major] [image: Improvement] TAP5-2624
> >>>> <https://issues.apache.org/jira/browse/TAP5-2624> Support Java 14
> >>>> bytecode
> >>>> by upgrading embedded ASM version to 8.0.1
> >>>> <https://issues.apache.org/jira/browse/TAP5-2624> Thiago Henrique De
> >>>> Paula
> >>>> Figueiredo
> >>>> <https://issues.apache.org/jira/secure/ViewProfile.jspa?name=thiagohp
> >
> >>>> RESOLVED
> >>>> [image: Major] [image: Improvement] TAP5-2631
> >>>> <https://issues.apache.org/jira/browse/TAP5-2631> Make Tapestry forms
> >>>> more
> >>>> accessible with automatic generation WAI-ARIA attributes
> >>>> <https://issues.apache.org/jira/browse/TAP5-2631> Thiago Henrique De
> >>>> Paula
> >>>> Figueiredo
> >>>> <https://issues.apache.org/jira/secure/ViewProfile.jspa?name=thiagohp
> >
> >>>> CLOSED
> >>>> [image: Major] [image: Bug] TAP5-2632
> >>>> <https://issues.apache.org/jira/browse/TAP5-2632>
> >>>> ContextAssetRequestHandler
> >>>> doesn't handle slashes in paths correctly
> >>>> <https://issues.apache.org/jira/browse/TAP5-2632> Thiago Henrique De
> >>>> Paula
> >>>> Figueiredo
> >>>> <https://issues.apache.org/jira/secure/ViewProfile.jspa?name=thiagohp
> >
> >>>> RESOLVED
> >>>> [image: Minor] [image: Improvement] TAP5-2626
> >>>> <https://issues.apache.org/jira/browse/TAP5-2626> Update Closure
> >>>> Compiler
> >>>> to latest version available (v20200628)
> >>>> <https://issues.apache.org/jira/browse/TAP5-2626> Thiago Henrique De
> >>>> Paula
> >>>> Figueiredo
> >>>> <https://issues.apache.org/jira/secure/ViewProfile.jspa?name=thiagohp
> >
> >>>> CLOSED
> >>>>
> >>>
> >>>
> >>> ---------------------------------------------------------------------
> >>> To unsubscribe, e-mail: [hidden email]
> >>> For additional commands, e-mail: [hidden email]
> >>>
> >>
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: [hidden email]
> >> For additional commands, e-mail: [hidden email]
> >>
> >>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>

--
Thiago
Reply | Threaded
Open this post in threaded view
|

Re: Ready for 5.6.0? Any blockers?

Massimo Lusetti
Thank you Thiago! Really appreciate it.

On Tue, Jul 28, 2020 at 9:00 PM Thiago H. de Paula Figueiredo <
[hidden email]> wrote:

> Hello, everyone!
>
> I've just uploaded 5.6.0-SNAPSHOT to the Apache Maven staging repository to
> make it easier for everyone to give it a spin without having to build from
> source. Unless something really bad comes up, I should follow with putting
> 5.6.0 to a vote without any changes from this snapshot. My plan, which
> everyone has a right to disagree, is to have major stuff deferred to 5.7.0.
>
> Feedback of all kinds welcome, as usual.
>
> On Mon, Jul 27, 2020 at 1:58 AM David Taylor <
> [hidden email]>
> wrote:
>
> > Thanks. I will grab your changes and apply those to the patch we are
> > using for the current release.
> >
> > David
> >
> >
> > On 7/26/2020 3:12 PM, Thiago H. de Paula Figueiredo wrote:
> > > Thanks! I ended up fixing this is a slightly different manner and
> > committed
> > > the fix.
> > >
> > > On Fri, Jul 24, 2020 at 1:11 AM David Taylor <
> > [hidden email]>
> > > wrote:
> > >
> > >> FYI - The following modifications to ChecksumPath prevent the
> > >> StringIndexOutOfBoundsException and allow the server to respond with a
> > >> 404 error.
> > >>
> > >>       public ChecksumPath(ResourceStreamer streamer, String
> baseFolder,
> > >> String extraPath)
> > >>       {
> > >>           this.streamer = streamer;
> > >>           int slashx = extraPath.indexOf('/');
> > >>
> > >>           checksum = slashx != -1 ? extraPath.substring(0, slashx) :
> > >> extraPath;
> > >>
> > >>           String morePath = slashx != -1 ? extraPath.substring(slashx
> +
> > >> 1) : "";
> > >>
> > >>           resourcePath = baseFolder == null
> > >>             ? morePath
> > >>             : baseFolder + "/" + morePath;
> > >>       }
> > >>
> > >>
> > >>
> > >> emailsig
> > >> On 7/23/2020 11:39 PM, David Taylor wrote:
> > >>> Hello Everyone,
> > >>>
> > >>> We are very interested in seeing the 5.6.0 update out the door and
> > >>> decided to test out the patch for TAP5-2632. In the course of doing
> so
> > >>> we found another related issue.
> > >>>
> > >>> When the path /assets/META-INF is entered in the browser it causes a
> > >>> StringIndexOutOfBoundsException in the constructor of the
> ChecksumPath
> > >>> class since the code does not guard against the possibility that
> > >>> indexOf will not find a match. Below is the offending code and the
> > >>> exception.
> > >>>
> > >>>   It seems that this needs to get patched to harden the application
> > >>> against bad input which is apparently very easy to devise. That was
> > >>> actually the first test string entered when testing the patch.
> Clearly
> > >>> Tapestry should not be responding to bad input with an exception.
> > >>>
> > >>> int slashx = extraPath.indexOf('/');
> > >>>
> > >>> java.lang.StringIndexOutOfBoundsException
> > >>> begin 0, end -1, length 8
> > >>>
> > >>> Best Regards,
> > >>> David Taylor
> > >>>
> > >>> On 7/19/2020 11:33 AM, Thiago H. de Paula Figueiredo wrote:
> > >>>> Hello, everyone!
> > >>>>
> > >>>> I'd like to release Tapestry 5.6.0 as soon as possible. There's a
> > >>>> security
> > >>>> improvement and support for Java 14 bytecode. Anything else you
> > >>>> believe is
> > >>>> a blocker this release?
> > >>>>
> > >>>> Here are the tickets included in the 5.6.0 release:
> > >>>>
> > >>>> [image: Critical] [image: Bug] TAP5-2602
> > >>>> <https://issues.apache.org/jira/browse/TAP5-2602> 5.4 LinkSubmit
> does
> > >>>> not
> > >>>> work with Prototype JS
> > >>>> <https://issues.apache.org/jira/browse/TAP5-2602> Thiago
> > >>>> Henrique De Paula Figueiredo
> > >>>> <
> https://issues.apache.org/jira/secure/ViewProfile.jspa?name=thiagohp
> > >
> > >>>> CLOSED
> > >>>> [image: Major] [image: Improvement] TAP5-2624
> > >>>> <https://issues.apache.org/jira/browse/TAP5-2624> Support Java 14
> > >>>> bytecode
> > >>>> by upgrading embedded ASM version to 8.0.1
> > >>>> <https://issues.apache.org/jira/browse/TAP5-2624> Thiago Henrique
> De
> > >>>> Paula
> > >>>> Figueiredo
> > >>>> <
> https://issues.apache.org/jira/secure/ViewProfile.jspa?name=thiagohp
> > >
> > >>>> RESOLVED
> > >>>> [image: Major] [image: Improvement] TAP5-2631
> > >>>> <https://issues.apache.org/jira/browse/TAP5-2631> Make Tapestry
> forms
> > >>>> more
> > >>>> accessible with automatic generation WAI-ARIA attributes
> > >>>> <https://issues.apache.org/jira/browse/TAP5-2631> Thiago Henrique
> De
> > >>>> Paula
> > >>>> Figueiredo
> > >>>> <
> https://issues.apache.org/jira/secure/ViewProfile.jspa?name=thiagohp
> > >
> > >>>> CLOSED
> > >>>> [image: Major] [image: Bug] TAP5-2632
> > >>>> <https://issues.apache.org/jira/browse/TAP5-2632>
> > >>>> ContextAssetRequestHandler
> > >>>> doesn't handle slashes in paths correctly
> > >>>> <https://issues.apache.org/jira/browse/TAP5-2632> Thiago Henrique
> De
> > >>>> Paula
> > >>>> Figueiredo
> > >>>> <
> https://issues.apache.org/jira/secure/ViewProfile.jspa?name=thiagohp
> > >
> > >>>> RESOLVED
> > >>>> [image: Minor] [image: Improvement] TAP5-2626
> > >>>> <https://issues.apache.org/jira/browse/TAP5-2626> Update Closure
> > >>>> Compiler
> > >>>> to latest version available (v20200628)
> > >>>> <https://issues.apache.org/jira/browse/TAP5-2626> Thiago Henrique
> De
> > >>>> Paula
> > >>>> Figueiredo
> > >>>> <
> https://issues.apache.org/jira/secure/ViewProfile.jspa?name=thiagohp
> > >
> > >>>> CLOSED
> > >>>>
> > >>>
> > >>>
> > >>> ---------------------------------------------------------------------
> > >>> To unsubscribe, e-mail: [hidden email]
> > >>> For additional commands, e-mail: [hidden email]
> > >>>
> > >>
> > >>
> > >> ---------------------------------------------------------------------
> > >> To unsubscribe, e-mail: [hidden email]
> > >> For additional commands, e-mail: [hidden email]
> > >>
> > >>
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: [hidden email]
> > For additional commands, e-mail: [hidden email]
> >
> >
>
> --
> Thiago
>


--
Massimo Lusetti