Details
-
Bug
-
Status: Closed
-
Blocker
-
Resolution: Fixed
-
None
-
None
Description
When updating the Sling Starter
org.apache.felix:org.apache.felix.http.jetty from 4.1.14 to 4.2.10 and
org.apache.felix:org.apache.felix.http.servlet-api from 1.1.4 to 1.2.0
.
There are 3 failures in the IncludeIT that show that the
javax.servlet.include.request_uri attribute is no longer present:
[ERROR] Failures:
[ERROR] IncludeTest.testForcedResourceType:149->assertIncludeRequestAttributes:154->assertIncludeRequestAttributes:167->assertRequestAttribute:189 Expected content contains '-javax.servlet.include.request_uri'
[ERROR] IncludeTest.testWithInclude:114->assertIncludeRequestAttributes:154->assertIncludeRequestAttributes:167->assertRequestAttribute:189 Expected content contains '-javax.servlet.include.request_uri'
[ERROR] IncludeTest.testWithIncludeAndExtension:123->assertIncludeRequestAttributes:154->assertIncludeRequestAttributes:167->assertRequestAttribute:189 Expected content contains '-javax.servlet.include.request_uri'
cziegeler thinks this is due to new code in 4.2.0 https://github.com/apache/felix-dev/blob/http-4.x/http/base/src/main/java/org/apache/felix/http/base/internal/dispatch/ServletRequestWrapper.java#L166 and that the solution here is to do the same in Sling Engine as Apache Felix is doing: instead of setting the attributes on the request, overwriting the getAttribute method. This avoids leakage of information as well.
See also the dev@sling.apache.org discussion at https://lists.apache.org/thread/wbfs0bvv0yk8nhggtx969nxwjyxs3c1o .