[jira] [Commented] (SLING-11872) Some request attributes not set when running with Felix Jetty 4.2.x

Mon, 15 May 2023 00:24:04 -0700 


    [ 
https://issues.apache.org/jira/browse/SLING-11872?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17722679#comment-17722679
 ] 

Henry Kuijpers commented on SLING-11872:
----------------------------------------

[~cziegeler] I don't think overriding getAttribute()/setAttribute()/etc is a 
good plan? Why would it not be sufficient to just put the attributes in the 
map? That map will be used throughout the entire stack of wrappers around the 
request, no? (Until that change was made in Apache Felix, of course..)


> Some request attributes not set when running with Felix Jetty 4.2.x
> -------------------------------------------------------------------
>
>                 Key: SLING-11872
>                 URL: https://issues.apache.org/jira/browse/SLING-11872
>             Project: Sling
>          Issue Type: Bug
>          Components: Engine
>            Reporter: Robert Munteanu
>            Assignee: Carsten Ziegeler
>            Priority: Blocker
>             Fix For: Engine 2.15.0
>
>
> When updating the Sling Starter
> org.apache.felix:org.apache.felix.http.jetty from 4.1.14 to 4.2.10 and
> org.apache.felix:org.apache.felix.http.servlet-api from 1.1.4 to 1.2.0
> .
> There are 3 failures in the IncludeIT that show that the
> javax.servlet.include.request_uri attribute is no longer present:
> [ERROR] Failures: 
> [ERROR]   
> IncludeTest.testForcedResourceType:149->assertIncludeRequestAttributes:154->assertIncludeRequestAttributes:167->assertRequestAttribute:189
>  Expected content contains '--javax.servlet.include.request_uri-'
> [ERROR]   
> IncludeTest.testWithInclude:114->assertIncludeRequestAttributes:154->assertIncludeRequestAttributes:167->assertRequestAttribute:189
>  Expected content contains '--javax.servlet.include.request_uri-'
> [ERROR]   
> IncludeTest.testWithIncludeAndExtension:123->assertIncludeRequestAttributes:154->assertIncludeRequestAttributes:167->assertRequestAttribute:189
>  Expected content contains '--javax.servlet.include.request_uri-'
> [~cziegeler] thinks this is due to new code in 4.2.0 
> https://github.com/apache/felix-dev/blob/http-4.x/http/base/src/main/java/org/apache/felix/http/base/internal/dispatch/ServletRequestWrapper.java#L166
>  and that the solution here is to do the same in Sling Engine as Apache  
> Felix is doing: instead of setting the attributes on the request,  
> overwriting the getAttribute method. This avoids leakage of information  as 
> well.
> See also the dev@sling.apache.org discussion at 
> https://lists.apache.org/thread/wbfs0bvv0yk8nhggtx969nxwjyxs3c1o .



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to