jackrabbit-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Javier Godoy (Created) (JIRA)" <j...@apache.org>
Subject [jira] [Created] (JCR-3174) Destination URI should be normalized
Date Sun, 11 Dec 2011 19:28:40 GMT
Destination URI should be normalized

                 Key: JCR-3174
                 URL: https://issues.apache.org/jira/browse/JCR-3174
             Project: Jackrabbit Content Repository
          Issue Type: Bug
          Components: jackrabbit-webdav
    Affects Versions: 2.3.6
         Environment: Not applicable
            Reporter: Javier Godoy
            Priority: Minor

WebdavRequestImpl.getHrefLocator tests if the URI passed as parameter starts with the context
path, and passes the next segments to the locator factory.
There is a potential hole if the parameter contains "..", because "http://example.com/dav/../foo"
starts with the context path "http://example.com/dav" but represents to "http://example.com/foo".
Currently, it is up to the locator factory to detect this situation, meaning that every locator
factory should implement this check. Additionally, DavLocatorFactory.createResourceLocator
cannot throw exceptions, hence it would not fail cleanly (RuntimeException causing a 500 INTERNAL
SERVER ERROR response, when a 403 FORBIDDEN status code would have been apropriate)

Note that the Request-URI should have already been normalized by the servlet container, but
in COPY/MOVE operations, the Destination-URI is not normalized.

Conformant clients MUST NOT use dot-segments ("." or "..")  [RFC 4918, Section 8.3] in Simple-Ref
constructions such as the Destination header [RFC 4918, Section 10.3]), but the server should
be able to detect this error.

Proposed change in WebdavRequestImpl:193 (in package org.apache.jackrabbit.webdav from webdav/java)
- ref = uri.getRawPath();
+ ref = uri.normalize().getRawPath();

(This causes /dav/../foo to be rejected because it doesn't start with the context path, and
accepts dav/foo/../bar because it starts with the context path)

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira


View raw message