[jira] [Commented] (SLING-10225) Files with ".." In Name Throw 400 Exception

Thu, 18 Mar 2021 06:56:24 -0700 


    [ 
https://issues.apache.org/jira/browse/SLING-10225?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17304160#comment-17304160
 ] 

Lars Krapf commented on SLING-10225:
------------------------------------

Hello [~rombert]

I agree that the fix for SLING-9741, i.e {{path.contains("...")}} is incomplete 
(at least for JCR), since {{.}} is a valid node name character. Some ambiguity 
most likely cannot be avoided. 
Actually, I would *not* invalidate the path in the first place, but simply try 
to be a bit more consistent with the normalization. I'm not sure if anything 
other than {{/../}} or {{/..;foo/}} should resolve to the parent. From a strict 
security POV however there is no right or wrong IMO, it's just different 
interpretations.  

[~dklco]:
bq. Or would this just make more sense to handle in the reverse proxy rather 
than building this into the Sling Engine?

I think it's a combination of both - the decomposition from SLING-9741 is 
rather confusing (note, that additionally this is dependent on whether {{a.js}} 
exists or not, so it's impossible for a static proxy to determine the correct 
resolution). But the problem of mismatching interpretations of ".." is [not 
unique to 
Sling|https://www.acunetix.com/blog/articles/a-fresh-look-on-reverse-proxy-related-attacks/]
 - I think the best we can do is to be consistent and well documented.

> Files with ".." In Name Throw 400 Exception
> -------------------------------------------
>
>                 Key: SLING-10225
>                 URL: https://issues.apache.org/jira/browse/SLING-10225
>             Project: Sling
>          Issue Type: Bug
>          Components: Engine
>    Affects Versions: Engine 2.7.4
>            Reporter: Dan Klco
>            Priority: Critical
>             Fix For: Engine 2.7.6
>
>
> SLING-9741 and the [associated 
> PR|https://github.com/apache/sling-org-apache-sling-engine/pull/11] 
> introduced a regression where the Sling Engine will return a 400 error on 
> requests based on the presence of ".." in the URL when not preceded by a 
> slash.
> This is an issue as file names may contain multiple periods and it is not 
> obvious that it would cause an issue to upload a file with two periods in the 
> name. 
> h2. Reproduction steps:
> * Update a Sling instance to use Engine 2.7.4
> * Upload a file containing .. in the path
> * Attempt to get the file or any path with the file as a suffix
> * Note this returns a 400 error



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to