[jira] [Updated] (SLING-11438) Resource path consisting of %7D with multiple dots leads to path traversal
[ https://issues.apache.org/jira/browse/SLING-11438?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Karl Pauls updated SLING-11438: --- Fix Version/s: Engine 2.9.2 > Resource path consisting of %7D with multiple dots leads to path traversal > -- > > Key: SLING-11438 > URL: https://issues.apache.org/jira/browse/SLING-11438 > Project: Sling > Issue Type: Bug > Components: Engine >Affects Versions: Engine 2.9.0 >Reporter: Sagar Miglani >Assignee: Karl Pauls >Priority: Major > Fix For: Engine 2.9.2 > > Time Spent: 2h 10m > Remaining Estimate: 0h > > With changes of SLING-10225, sling-engine started considering requests > consisting of resource path with %5B ([) and multiple dots as "Invalid", as > it could lead to path traversal and exposure of repository content. > But same could happen with %7D (}) with multiple dots in the request resource > path. > e.g: > http://:/content/we-retail/us/en/experience.html/.%7D./.%7D./.1.json > would lead to exposure of repository content stored at /content/we-retail/us -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (SLING-11438) Resource path consisting of %7D with multiple dots leads to path traversal
[ https://issues.apache.org/jira/browse/SLING-11438?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sagar Miglani updated SLING-11438: -- Summary: Resource path consisting of %7D with multiple dots leads to path traversal (was: Resource path consising of %7D with multiple dots leads to path traversal) > Resource path consisting of %7D with multiple dots leads to path traversal > -- > > Key: SLING-11438 > URL: https://issues.apache.org/jira/browse/SLING-11438 > Project: Sling > Issue Type: Bug > Components: Engine >Affects Versions: Engine 2.9.0 >Reporter: Sagar Miglani >Priority: Major > Time Spent: 10m > Remaining Estimate: 0h > > With changes of SLING-10225, sling-engine started considering requests > consisting of resource path with %5B ([) and multiple dots as "Invalid", as > it could lead to path traversal and exposure of repository content. > But same could happen with %7D (}) with multiple dots in the request resource > path. > e.g: > http://:/content/we-retail/us/en/experience.html/.%7D./.%7D./.1.json > would lead to exposure of repository content stored at /content/we-retail/us -- This message was sent by Atlassian Jira (v8.20.10#820010)