[ https://issues.apache.org/jira/browse/SLING-11438?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Karl Pauls resolved SLING-11438. -------------------------------- Resolution: Fixed Thanks a lot [~sagarmiglani], I merged your PR. > Resource path consisting of %7D with multiple dots leads to path traversal > -------------------------------------------------------------------------- > > Key: SLING-11438 > URL: https://issues.apache.org/jira/browse/SLING-11438 > Project: Sling > Issue Type: Bug > Components: Engine > Affects Versions: Engine 2.9.0 > Reporter: Sagar Miglani > Assignee: Karl Pauls > Priority: Major > Time Spent: 2h 10m > Remaining Estimate: 0h > > With changes of SLING-10225, sling-engine started considering requests > consisting of resource path with %5B ([) and multiple dots as "Invalid", as > it could lead to path traversal and exposure of repository content. > But same could happen with %7D (}) with multiple dots in the request resource > path. > e.g: > http://<HOST>:<PORT>/content/we-retail/us/en/experience.html/.%7D./.%7D./.1.json > would lead to exposure of repository content stored at /content/we-retail/us -- This message was sent by Atlassian Jira (v8.20.10#820010)