[
https://issues.apache.org/jira/browse/SLING-12958?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Remo Liechti updated SLING-12958:
---------------------------------
Fix Version/s: (was: Engine 3.0.0)
(was: Engine 2.16.4)
Affects Version/s: Engine 2.16.6
(was: Engine 2.16.2)
Description:
According to the [servlet api
specification|https://jakarta.ee/specifications/servlet/6.0/jakarta-servlet-spec-6.0#the-include-method]:
{noformat}
It cannot set headers or call any method that affects the headers of the
response{noformat}
This means that methods like sendError() and sendRedirect() are not allowed to
be used during an include. Those methods change the status and commit the
response, which both are headers being changed. As well as resetting the
response, which changes headers like content type back to null.
Instead, those methods must throw IOExceptions for non-404, and for 404
{noformat}
RequestDispatch.include() and the requested resource does not exist, then the
default servlet MUST throw FileNotFoundException{noformat}
This will also improve the content header change violation reporting for cases
where the error handling 404.jsp is called and sets the header to text/html;
with the current implementation, a violation will be triggered: "404.jsp tried
to change the content type header from null to text/html"
was:
SlingHttpServletResponseImpl.reset checks if the validation for include is
enabled and resets the response only for non-enabled cases.
For error handling, this is wrong. The ErrorFilterChain calls the reset during
the doFilter method to meet the "resetting policy" documented on:
[https://sling.apache.org/documentation/the-sling-engine/errorhandling.html]
> sendError() must not be allowed during include
> ----------------------------------------------
>
> Key: SLING-12958
> URL: https://issues.apache.org/jira/browse/SLING-12958
> Project: Sling
> Issue Type: Bug
> Components: Engine
> Affects Versions: Engine 3.0.0, Engine 2.16.6
> Reporter: Remo Liechti
> Assignee: Carsten Ziegeler
> Priority: Major
>
> According to the [servlet api
> specification|https://jakarta.ee/specifications/servlet/6.0/jakarta-servlet-spec-6.0#the-include-method]:
> {noformat}
> It cannot set headers or call any method that affects the headers of the
> response{noformat}
> This means that methods like sendError() and sendRedirect() are not allowed
> to be used during an include. Those methods change the status and commit the
> response, which both are headers being changed. As well as resetting the
> response, which changes headers like content type back to null.
>
> Instead, those methods must throw IOExceptions for non-404, and for 404
>
> {noformat}
> RequestDispatch.include() and the requested resource does not exist, then the
> default servlet MUST throw FileNotFoundException{noformat}
> This will also improve the content header change violation reporting for
> cases where the error handling 404.jsp is called and sets the header to
> text/html; with the current implementation, a violation will be triggered:
> "404.jsp tried to change the content type header from null to text/html"
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
