You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@archiva.apache.org by machens <ma...@gmail.com> on 2023/01/01 19:23:11 UTC
Non-canonical repository paths and default config
Hello there!
In Archiva's (v2.2.9) default configuration, repositories "internal" and
"snapshots" have a path like this:
./repositories/internal
Prefix "./" causes all repo-api requests to fail with status code "Bad
Request" (see below for an explanation and code reference).
When looking at the folders created in the working directory, I also
believe, the current default configuration for repo "Directory" and
"Index Directory" has not been updated since paths have been reworked.
Cheers
Holger M.
Explanation of the Bad Request responses
----------------------------------------
The server validates requests by checking if the given canonicalized
resource path is equal to an absolute path and replies with Bad Request
(400) if not. Unfortunately, the absolute path contains the user
configured repository directory path, which may not be canonical. Found
that in ArchivaDavResourceFactory (see snippet below).
ArchivaDavResourceFactory:605
---------------------------------------------------------------------------
LogicalResource logicalResource = new LogicalResource(path);
File resourceFile = new File(
managedRepositoryContent.getRepoRoot(), path);
if(!resourceFile.getCanonicalPath().equals(resourceFile.getAbsolutePath()))
{
throw new DavException( HttpServletResponse.SC_BAD_REQUEST );
}
---------------------------------------------------------------------------
Re: Non-canonical repository paths and default config
Posted by Olivier Lamy <ol...@apache.org>.
Hi
Sounds definitely like a bug!
Do you have time to create a PR for this?
Thanks
Olivier
On Mon, 2 Jan 2023 at 03:23, machens <ma...@gmail.com> wrote:
>
> Hello there!
>
>
>
> In Archiva's (v2.2.9) default configuration, repositories "internal" and
> "snapshots" have a path like this:
>
> ./repositories/internal
>
> Prefix "./" causes all repo-api requests to fail with status code "Bad
> Request" (see below for an explanation and code reference).
>
> When looking at the folders created in the working directory, I also
> believe, the current default configuration for repo "Directory" and
> "Index Directory" has not been updated since paths have been reworked.
>
>
>
> Cheers
> Holger M.
>
>
>
>
>
> Explanation of the Bad Request responses
> ----------------------------------------
> The server validates requests by checking if the given canonicalized
> resource path is equal to an absolute path and replies with Bad Request
> (400) if not. Unfortunately, the absolute path contains the user
> configured repository directory path, which may not be canonical. Found
> that in ArchivaDavResourceFactory (see snippet below).
>
>
> ArchivaDavResourceFactory:605
> ---------------------------------------------------------------------------
> LogicalResource logicalResource = new LogicalResource(path);
> File resourceFile = new File(
> managedRepositoryContent.getRepoRoot(), path);
> if(!resourceFile.getCanonicalPath().equals(resourceFile.getAbsolutePath()))
> {
> throw new DavException( HttpServletResponse.SC_BAD_REQUEST );
> }
> ---------------------------------------------------------------------------
>
>