[jira] [Commented] (SLING-10225) Files with ".." In Name Throw 400 Exception

Thu, 10 Jun 2021 04:43:04 -0700 


    [ 
https://issues.apache.org/jira/browse/SLING-10225?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17360811#comment-17360811
 ] 

Robert wunsch commented on SLING-10225:
---------------------------------------

Not allowing "empty selectors" will cause problems (eg. Classic UI creates URLs 
with empty selectors).

The reason/background for SLING-10225 was - not to interpret "/...<extension>" 
(eg. "<url>/...html") as "even though the resource does not exist, move one 
level up and deliver the parent-resource".



I would assume a lot of projects might have "empty selectors" in their code , 
something like "<url/<valid-resource-name>.<selector1>..html" .

If empty selectors are not longer allowed, this will cause trouble for multiple 
SLING projects, I imagine.

So I would see the solution for both problems to allow "..<extension>" as 
"empty-selector, but NOT to interprete this as "resolve to the parent resource".

Hope this makes sense.

> Files with ".." In Name Throw 400 Exception
> -------------------------------------------
>
>                 Key: SLING-10225
>                 URL: https://issues.apache.org/jira/browse/SLING-10225
>             Project: Sling
>          Issue Type: Bug
>          Components: Engine
>    Affects Versions: Engine 2.7.4
>            Reporter: Dan Klco
>            Assignee: Karl Pauls
>            Priority: Critical
>             Fix For: Engine 2.7.6
>
>          Time Spent: 1h 40m
>  Remaining Estimate: 0h
>
> SLING-9741 and the [associated 
> PR|https://github.com/apache/sling-org-apache-sling-engine/pull/11] 
> introduced a regression where the Sling Engine will return a 400 error on 
> requests based on the presence of ".." in the URL when not preceded by a 
> slash.
> This is an issue as file names may contain multiple periods and it is not 
> obvious that it would cause an issue to upload a file with two periods in the 
> name. 
> h2. Reproduction steps:
> * Update a Sling instance to use Engine 2.7.4
> * Upload a file containing .. in the path
> * Attempt to get the file or any path with the file as a suffix
> * Note this returns a 400 error



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to