[
https://issues.apache.org/jira/browse/SLING-11854?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17718474#comment-17718474
]
Carsten Ziegeler commented on SLING-11854:
------------------------------------------
First of all, access control applies. Second, the documentation also clearly
states that traversal is allowed.
We have this behaviour since the beginning, so I'm pretty sure there is code
out there relying on it, at least on the empty string.
As this is a Java api I suggest that you sanitize user input before it is used
as an argument to the resource resolver.
> ResourceResolver#getResource("") & ResourceResolver(".") should return null
> ---------------------------------------------------------------------------
>
> Key: SLING-11854
> URL: https://issues.apache.org/jira/browse/SLING-11854
> Project: Sling
> Issue Type: Improvement
> Components: ResourceResolver
> Affects Versions: Resource Resolver 1.10.0
> Reporter: Henry Kuijpers
> Priority: Critical
> Attachments: screenshot-1.png
>
>
> We noticed that ResourceResolver#getResource is returning unexpected values
> for "" (empty string) and ".") (dot).
> We would expect null to be returned, however, instead we get an object whose
> toString is:
> SyntheticResource, type=sling:syntheticResourceProviderResource, path=/apps
> The sling.resolutionPath (in resource metadata) is set to /apps, which is
> also unexpected.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
