Magnolia is stripping the context path when setting the current URI in AggregationState using info.magnolia.cms.core.AggregationState.stripContextPathIfExists(String). During the filter chain process setCurrentURI() method is called several times which results in stripping the context path more than once. As a result a context path can appear twice in the requested URL and the content is still served . For instance http://localhost:8080/magnoliaPublic/magnoliaPublic/travel.html, context path /magnoliaPublic is removed twice thus resulting in a valid handle /travel.html. Therefore the page will be served, even though the original URI should have caused a 404 error.

The issue can reproduced "out of the box", so to say, on an EE instance where MultiSiteFilter actually causes AggregationState#setCurrentURI() to be called more than once thus revealing the issue. On a plain CE instance this is not immediately apparent but it would suffice another Filter calling that method (besides ContentTypeFilter which is always called and used to basically initialise the AggregationState) to cause the issue.