You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sling.apache.org by "Akanksha Jain (Jira)" <ji...@apache.org> on 2022/01/12 10:08:00 UTC

[jira] [Commented] (SLING-11054) Sling Referrer Filter throws ArrayIndexOutOfBoundsException when ?:// referrer is entered on servlet

    [ https://issues.apache.org/jira/browse/SLING-11054?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17474420#comment-17474420 ] 

Akanksha Jain commented on SLING-11054:
---------------------------------------

If a request has a referrer as "?://", it will be marked as invalid.

> Sling Referrer Filter throws ArrayIndexOutOfBoundsException when ?:// referrer is entered on servlet
> ----------------------------------------------------------------------------------------------------
>
>                 Key: SLING-11054
>                 URL: https://issues.apache.org/jira/browse/SLING-11054
>             Project: Sling
>          Issue Type: Bug
>          Components: Sling Security
>            Reporter: Akanksha Jain
>            Priority: Minor
>
> When the Referrer value is set as "?://" on servlet, an ArrayIndexOutOfBoundsException is thrown in the Sling Referrer filter.
> {code:java}
> Exception below:
> java.lang.StringIndexOutOfBoundsException: String index out of range: -4
> at java.lang.String.substring(String.java:1931)
> at org.apache.sling.security.impl.ReferrerFilter.getHost(ReferrerFilter.java:350)
> at org.apache.sling.security.impl.ReferrerFilter.isValidRequest(ReferrerFilter.java:385)
> at org.apache.sling.security.impl.ReferrerFilter.doFilter(ReferrerFilter.java:318)
> at org.apache.felix.http.base.internal.handler.PreprocessorHandler.handle(PreprocessorHandler.java:133)
> at org.apache.felix.http.base.internal.whiteboard.WhiteboardManager$2.doFilter(WhiteboardManager.java:1020)
> at org.apache.felix.http.base.internal.whiteboard.WhiteboardManager.invokePreprocessors(WhiteboardManager.java:1024)
> at org.apache.felix.http.base.internal.dispatch.Dispatcher.dispatch(Dispatcher.java:91)
> at org.apache.felix.http.base.internal.dispatch.DispatcherServlet.service(DispatcherServlet.java:49)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:725)
> at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:865)
> at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:535)
> at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:255)
> at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1595)
> at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:255)
> at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1340)
> at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:203)
> at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:473)
> at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1564)
> at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:201)
> at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1242)
> at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:144)
> at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:220)
> at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
> at org.eclipse.jetty.server.Server.handle(Server.java:503)
> at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:364)
> at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:260)
> at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:305)
> at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)
> at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:118)
> at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:333)
> at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:310)
> at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:168)
> at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:126)
> at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:366)
> at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:765)
> at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:683)
> at java.lang.Thread.run(Thread.java:745)
> {code}



--
This message was sent by Atlassian Jira
(v8.20.1#820001)