You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@sling.apache.org by "Robert wunsch (Jira)" <ji...@apache.org> on 2021/06/10 10:00:00 UTC

[jira] [Commented] (SLING-9741) Invalid path decomposition in case of multiple dots

    [ https://issues.apache.org/jira/browse/SLING-9741?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17360707#comment-17360707 ] 

Robert wunsch commented on SLING-9741:
--------------------------------------

Hello,

this fix is great to harden SLING for XSS attacks. 

unfortunately it seems that "..<extension>" is now also not resolved any longer (so an "empty SELECTOR").

This causes requests to fail - if a Selector is generated by "code" - but the selector is not set (so leading to "/a/b.s1+*..*+html").

(AEM ClassicUI is generating such request-URLs for a reason unknown to me.) 

I think this already being discussed in https://issues.apache.org/jira/browse/SLING-10225 .

 

> Invalid path decomposition in case of multiple dots
> ---------------------------------------------------
>
>                 Key: SLING-9741
>                 URL: https://issues.apache.org/jira/browse/SLING-9741
>             Project: Sling
>          Issue Type: Bug
>          Components: Engine
>    Affects Versions: Engine 2.7.2
>            Reporter: Lars Krapf
>            Assignee: A. J. David Bosschaert
>            Priority: Major
>             Fix For: Engine 2.7.4
>
>          Time Spent: 5h 10m
>  Remaining Estimate: 0h
>
> The resource resolver performs path normalization using [ResourceUtil.normalize()|https://github.com/apache/sling-org-apache-sling-api/blob/a459f157b87e2ca6a274a1d890aad1d86ff7a631/src/main/java/org/apache/sling/api/resource/ResourceUtil.java#L49]. 
> This leads to unexpected results in the case of a combination of non-existing resources, and multiple dots in a path segment. 
> E.g. the following request:
> {{http://localhost/content/a.js/......children....-1....json/a.txt}}
> will be decomposed as follows:
> {code}
> Extension=json
> resourcePath=/content/a.js/..
> selectors=[, , , children, , , , -1]
> seclectorString=...children....-1...
> suffix=/a.txt
> {code}
> Note that the first two dots of the third path segment are interpreted as the parent path (a.js does not exist), which essentially turns this line into {{/content.children.-1.json/a.txt}}, which can confuse reverse proxies. 
> I think the {{..}} should only be interpreted as the parent path if followed by a {{/}} (or potentially a semicolon if path parameters on {{..}} segments should be allowed).



--
This message was sent by Atlassian Jira
(v8.3.4#803005)