[
https://issues.apache.org/jira/browse/SLING-9741?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17278711#comment-17278711
]
Akanksha Jain commented on SLING-9741:
--------------------------------------
Hello
[~cziegeler] [~rombert]
I have prepared the Patch, PR Link:
https://github.com/apache/sling-org-apache-sling-engine/pull/11
Request you to review it, and if it looks fine, Please merge it to master.
> Invalid path decomposition in case of multiple dots
> ---------------------------------------------------
>
> Key: SLING-9741
> URL: https://issues.apache.org/jira/browse/SLING-9741
> Project: Sling
> Issue Type: Bug
> Components: ResourceResolver
> Affects Versions: Resource Resolver 1.7.0
> Reporter: Lars Krapf
> Priority: Major
> Time Spent: 40m
> Remaining Estimate: 0h
>
> The resource resolver performs path normalization using
> [ResourceUtil.normalize()|https://github.com/apache/sling-org-apache-sling-api/blob/a459f157b87e2ca6a274a1d890aad1d86ff7a631/src/main/java/org/apache/sling/api/resource/ResourceUtil.java#L49].
>
> This leads to unexpected results in the case of a combination of non-existing
> resources, and multiple dots in a path segment.
> E.g. the following request:
> {{http://localhost/content/a.js/......children....-1....json/a.txt}}
> will be decomposed as follows:
> {code}
> Extension=json
> resourcePath=/content/a.js/..
> selectors=[, , , children, , , , -1]
> seclectorString=...children....-1...
> suffix=/a.txt
> {code}
> Note that the first two dots of the third path segment are interpreted as the
> parent path (a.js does not exist), which essentially turns this line into
> {{/content.children.-1.json/a.txt}}, which can confuse reverse proxies.
> I think the {{..}} should only be interpreted as the parent path if followed
> by a {{/}} (or potentially a semicolon if path parameters on {{..}} segments
> should be allowed).
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
