[SLING-9741] Invalid path decomposition in case of multiple dots - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: Engine 2.7.2
Fix Version/s: Engine 2.7.4
Component/s: Engine
Labels:
None

Description

The resource resolver performs path normalization using ResourceUtil.normalize().

This leads to unexpected results in the case of a combination of non-existing resources, and multiple dots in a path segment.

E.g. the following request:
http://localhost/content/a.js/......children....-1....json/a.txt

will be decomposed as follows:

Extension=json
resourcePath=/content/a.js/..
selectors=[, , , children, , , , -1]
seclectorString=...children....-1...
suffix=/a.txt

Note that the first two dots of the third path segment are interpreted as the parent path (a.js does not exist), which essentially turns this line into /content.children.-1.json/a.txt, which can confuse reverse proxies.

I think the .. should only be interpreted as the parent path if followed by a / (or potentially a semicolon if path parameters on .. segments should be allowed).

Attachments

Issue Links

causes

SLING-10225 Files with ".." In Name Throw 400 Exception

Closed

Activity

People

Assignee:: A. J. David Bosschaert

Reporter:: Lars Krapf

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 17/Sep/20 09:19

Updated:: 10/Jun/21 09:59

Resolved:: 22/Feb/21 17:00

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

5h 10m