[
https://issues.apache.org/jira/browse/SLING-9740?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Carsten Ziegeler resolved SLING-9740.
-------------------------------------
Resolution: Fixed
Fixed in
https://github.com/apache/sling-org-apache-sling-engine/commit/c8bee929ac939e97a33239742fe20b6cc99db52c
> Invalid handling of requests containing URL path parameters
> -----------------------------------------------------------
>
> Key: SLING-9740
> URL: https://issues.apache.org/jira/browse/SLING-9740
> Project: Sling
> Issue Type: Bug
> Components: Engine
> Affects Versions: Engine 2.7.2
> Reporter: Lars Krapf
> Assignee: Carsten Ziegeler
> Priority: Major
> Fix For: Engine 2.9.0
>
>
> {{RequestData.initResource()}} has support for requests containing URL-path
> parameters (e.g. /path;foo=bar/path2;bar=baz/). It will split at the first
> semicolon, and concatenate this to the {{request.getPathInfo()}} (not
> containing such parameters). See
> [RequestData.java|https://github.com/apache/sling-org-apache-sling-engine/blob/master/src/main/java/org/apache/sling/engine/impl/request/RequestData.java#L232].
> However, this handling is incomplete as it only covers the case where one
> such parameter is added at the end of the request, but path parameters can be
> added to *any* path segment, leading to unexpected results.
> E.g. the following request:
> http://localhost:4502/content;foo=bar/we-retail;bar=baz/us/en.html
> will result in {{path}} being:
> /content/we-retail/us/en.html;foo=bar/we-retail;bar=baz/us/en.html
> This gets especially confusing when path normalization happens in conjunction
> with path parameters:
> http://localhost/content/we-retail.html/..;/..;/bin/querybuilder.json.css?path=/home/users
> will result in {{path}} being:
> /bin/querybuilder.json.css;/..;/bin/querybuilder.json.css
> after the concatenation.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
