Uploaded image for project: 'Magnolia'
  1. Magnolia
  2. MAGNOLIA-6858

Duplicate context path in request still allows for serving content

    XMLWordPrintable

Details

    • Bug
    • Resolution: Fixed
    • Neutral
    • 5.4.11, 5.5.1
    • 5.4.9
    • None
    • Basel 73
    • 5

    Description

      Magnolia is stripping the context path when setting the current URI in AggregationState using info.magnolia.cms.core.AggregationState.stripContextPathIfExists(String). During the filter chain process setCurrentURI() method is called several times which results in stripping the context path more than once. As a result a context path can appear twice in the requested URL and the content is still served . For instance http://localhost:8080/magnoliaPublic/magnoliaPublic/travel.html, context path /magnoliaPublic is removed twice thus resulting in a valid handle /travel.html. Therefore the page will be served, even though the original URI should have caused a 404 error.

      The issue can reproduced "out of the box", so to say, on an EE instance where MultiSiteFilter actually causes AggregationState#setCurrentURI() to be called more than once thus revealing the issue. On a plain CE instance this is not immediately apparent but it would suffice another Filter calling that method (besides ContentTypeFilter which is always called and used to basically initialise the AggregationState) to cause the issue.

      Checklists

        Acceptance criteria

        Attachments

          Activity

            People

              fgrilli Federico Grilli
              ochytil Ondrej Chytil
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Checklists

                  Bug DoR
                  Task DoD