Lars Krapf created SLING-9740: --------------------------------- Summary: Invalid handling of requests containing URL path parameters Key: SLING-9740 URL: https://issues.apache.org/jira/browse/SLING-9740 Project: Sling Issue Type: Bug Components: Engine Affects Versions: Engine 2.7.2 Reporter: Lars Krapf
{{RequestData.initResource()}} has support for requests containing URL-path parameters (e.g. /path;foo=bar/path2;bar=baz/). It will split at the first semicolon, and concatenate this to the {{request.getPathInfo()}} (not containing such parameters). See [RequestData.java|https://github.com/apache/sling-org-apache-sling-engine/blob/master/src/main/java/org/apache/sling/engine/impl/request/RequestData.java#L232]. However, this handling is incomplete as it only covers the case where one such parameter is added at the end of the request, but path parameters can be added to *any* path segment, leading to unexpected results. E.g. the following request: http://localhost:4502/content;foo=bar/we-retail;bar=baz/us/en.html will result in {{path}} being: /content/we-retail/us/en.html;foo=bar/we-retail;bar=baz/us/en.html This gets especially confusing when path normalization happens in conjunction with path parameters: http://localhost/content/we-retail.html/..;/..;/bin/querybuilder.json.css?path=/home/users will result in {{path}} being: /bin/querybuilder.json.css;/..;/bin/querybuilder.json.css after the concatenation. -- This message was sent by Atlassian Jira (v8.3.4#803005)