[jira] [Comment Edited] (SLING-7741) org.apache.sling.xss.impl.XSSAPIImpl#getValidHref doesn't correctly handle the ":" character in URL fragments

Tue, 26 Jun 2018 09:15:16 -0700 


    [ 
https://issues.apache.org/jira/browse/SLING-7741?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16523925#comment-16523925
 ] 

Radu Cotescu edited comment on SLING-7741 at 6/26/18 4:14 PM:
--------------------------------------------------------------

The PR [0] should solve this issue, however the current set of regexes doesn't 
validate some correctly formed URIs (for example the {{:}} character can be 
used anywhere inside a URI).

A nicer approach would have been the [^SLING-7741.correct_uri_parsing.patch] 
(which can be applied on top of [commit 
43947bd|https://github.com/apache/sling-org-apache-sling-xss/commit/43947bd]), 
however the URI grammar (reproduced through the regexes added to the patch) 
cannot make a difference between a {{scheme://}} and a path containing {{:}}, 
followed by two empty segments.

[0] - [https://github.com/apache/sling-org-apache-sling-xss/pull/2] 


was (Author: radu.cotescu):
The PR [0] should solve this issue, however the current set of regexes doesn't 
validate some correctly formed URIs (for example the {{:}} character can be 
used anywhere inside a URI).

A nicer approach would have been the [^SLING-7741.correct_uri_parsing.patch] 
(which can be applied on top of [commit 
43947bd|https://github.com/apache/sling-org-apache-sling-xss/commit/43947bd]), 
however the URI grammar (reproduced through the regexes added to the patch) 
cannot make a difference between a {{scheme:// }}and a path containing {{:}}, 
followed by two empty segments.

[0] - [https://github.com/apache/sling-org-apache-sling-xss/pull/2] 

> org.apache.sling.xss.impl.XSSAPIImpl#getValidHref doesn't correctly handle 
> the ":" character in URL fragments
> -------------------------------------------------------------------------------------------------------------
>
>                 Key: SLING-7741
>                 URL: https://issues.apache.org/jira/browse/SLING-7741
>             Project: Sling
>          Issue Type: Bug
>          Components: XSS Protection API
>    Affects Versions: XSS Protection API 1.0.0, XSS Protection API 2.0.0, XSS 
> Protection API Compat 1.1.0
>            Reporter: Radu Cotescu
>            Assignee: Radu Cotescu
>            Priority: Major
>             Fix For: XSS Protection API 2.0.8
>
>         Attachments: SLING-7741.correct_uri_parsing.patch
>
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> {{org.apache.sling.xss.impl.XSSAPIImpl#getValidHref}} doesn't correctly 
> handle the ":" character in URL fragments:
> {code}
> https://sling.apache.org/#fragment:test -> 
> https://sling.apache.org/_#fragment_test
> {code}
> Namespace mangling should only occur for the path section of the URL.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to