[
https://issues.apache.org/jira/browse/SLING-10225?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Karl Pauls resolved SLING-10225.
--------------------------------
Resolution: Fixed
Done in https://github.com/apache/sling-org-apache-sling-engine/pull/15
We now don't allow empty selectors as well as not allowing /.. or really and
segment with only dots.
> Files with ".." In Name Throw 400 Exception
> -------------------------------------------
>
> Key: SLING-10225
> URL: https://issues.apache.org/jira/browse/SLING-10225
> Project: Sling
> Issue Type: Bug
> Components: Engine
> Affects Versions: Engine 2.7.4
> Reporter: Dan Klco
> Assignee: Karl Pauls
> Priority: Critical
> Fix For: Engine 2.7.6
>
> Time Spent: 1h 40m
> Remaining Estimate: 0h
>
> SLING-9741 and the [associated
> PR|https://github.com/apache/sling-org-apache-sling-engine/pull/11]
> introduced a regression where the Sling Engine will return a 400 error on
> requests based on the presence of ".." in the URL when not preceded by a
> slash.
> This is an issue as file names may contain multiple periods and it is not
> obvious that it would cause an issue to upload a file with two periods in the
> name.
> h2. Reproduction steps:
> * Update a Sling instance to use Engine 2.7.4
> * Upload a file containing .. in the path
> * Attempt to get the file or any path with the file as a suffix
> * Note this returns a 400 error
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
