[
https://issues.apache.org/jira/browse/SLING-9741?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
A. J. David Bosschaert closed SLING-9741.
-----------------------------------------
> Invalid path decomposition in case of multiple dots
> ---------------------------------------------------
>
> Key: SLING-9741
> URL: https://issues.apache.org/jira/browse/SLING-9741
> Project: Sling
> Issue Type: Bug
> Components: Engine
> Affects Versions: Engine 2.7.2
> Reporter: Lars Krapf
> Assignee: A. J. David Bosschaert
> Priority: Major
> Fix For: Engine 2.7.4
>
> Time Spent: 5h 10m
> Remaining Estimate: 0h
>
> The resource resolver performs path normalization using
> [ResourceUtil.normalize()|https://github.com/apache/sling-org-apache-sling-api/blob/a459f157b87e2ca6a274a1d890aad1d86ff7a631/src/main/java/org/apache/sling/api/resource/ResourceUtil.java#L49].
>
> This leads to unexpected results in the case of a combination of non-existing
> resources, and multiple dots in a path segment.
> E.g. the following request:
> {{http://localhost/content/a.js/......children....-1....json/a.txt}}
> will be decomposed as follows:
> {code}
> Extension=json
> resourcePath=/content/a.js/..
> selectors=[, , , children, , , , -1]
> seclectorString=...children....-1...
> suffix=/a.txt
> {code}
> Note that the first two dots of the third path segment are interpreted as the
> parent path (a.js does not exist), which essentially turns this line into
> {{/content.children.-1.json/a.txt}}, which can confuse reverse proxies.
> I think the {{..}} should only be interpreted as the parent path if followed
> by a {{/}} (or potentially a semicolon if path parameters on {{..}} segments
> should be allowed).
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
