[SLING-7777] XSSFilter is rejecting URLs containing only queries or fragments - ASF JIRA

Attach files

Attach Screenshot

Voters

Watch issue

Watchers

Create sub-task

Link

Clone

Update Comment Author

Replace String in Comment

Update Comment Visibility

Delete Comments

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: XSS Protection API 2.0.10
Fix Version/s: XSS Protection API 2.0.12
Component/s: XSS Protection API
Labels:
- XSS

Description

The XSSFilter is erroneously rejecting URLs that consist only of queries, (potentially empty) fragments or both, e.g. "#", "#test", "?foo=bar" etc.

Even though the RELATIVE_PART regexp contains an PATH_EMPTY group, it is explicitly matching the entire string, so will fail if the QUERY or FRAGMENT groups match.

A potential solution (see attached patch and tests) might be to remove the PATH_EMPTY group from the RELATIVE_PART, and make the entire RELATIVE_PART optional by adding ? to the group in RELATIVE_REF. This will still match completely empty URLs.

Attachments

sling_xssfilter_patch.txt
12/Jul/18 16:45
26 kB
Lars Krapf

Activity

Comment

This comment will be Viewable by All Users Viewable by All Users

Cancel

People

Assignee:: Radu Cotescu

Reporter:: Lars Krapf

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 12/Jul/18 16:46

Updated:: 07/Aug/18 15:20

Resolved:: 02/Aug/18 18:21

Agile

View on Board

XSSFilter is rejecting URLs containing only queries or fragments

Details

Description

Attachments

Attachments

Activity

People

Dates

Agile

Slack

Issue deployment