You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@sling.apache.org by "Lars Krapf (Jira)" <ji...@apache.org> on 2020/09/17 09:20:00 UTC

[jira] [Created] (SLING-9741) Invalid path decomposition in case of multiple dots

Lars Krapf created SLING-9741:
---------------------------------

             Summary: Invalid path decomposition in case of multiple dots
                 Key: SLING-9741
                 URL: https://issues.apache.org/jira/browse/SLING-9741
             Project: Sling
          Issue Type: Bug
          Components: ResourceResolver
    Affects Versions: Resource Resolver 1.7.0
            Reporter: Lars Krapf


The resource resolver performs path normalization using [ResourceUtil.normalize()|https://github.com/apache/sling-org-apache-sling-api/blob/a459f157b87e2ca6a274a1d890aad1d86ff7a631/src/main/java/org/apache/sling/api/resource/ResourceUtil.java#L49]. 

This leads to unexpected results in the case of a combination of non-existing resources, and multiple dots in a path segment. 

E.g. the following request:
{{http://localhost/content/a.js/......children....-1....json/a.txt}}

will be decomposed as follows:
{code}
Extension=json
resourcePath=/content/a.js/..
selectors=[, , , children, , , , -1]
seclectorString=...children....-1...
suffix=/a.txt
{code}

Note that the first two dots of the third path segment are interpreted as the parent path (a.js does not exist), which essentially turns this line into {{/content.children.-1.json/a.txt}}, which can confuse reverse proxies. 

I think the {{..}} should only be interpreted as the parent path if followed by a {{/}} (or potentially a semicolon if path parameters on {{..}} segments should be allowed).



--
This message was sent by Atlassian Jira
(v8.3.4#803005)