-
Bug
-
Resolution: Fixed
-
Neutral
-
5.7.11, 6.2.10
-
None
-
Empty show more show less
-
Maintenance 68
If there is e.g. umlaut in the URI of an imaging request it returns a 500 error.
HTTP Status 500 – Internal Server ErrorType Exception ReportMessage An invalid path [/.imaging/default/dam/sntde/Bilder/logistikbilder/frau-mit-zebra-gerät-warehouse.jpg/jcr:content.jpg] was specified for this cookieDescription The server encountered an unexpected condition that prevented it from fulfilling the request.Exceptionjava.lang.IllegalArgumentException: An invalid path [/.imaging/default/dam/sntde/Bilder/logistikbilder/frau-mit-zebra-gerät-warehouse.jpg/jcr:content.jpg] was specified for this cookie org.apache.tomcat.util.http.Rfc6265CookieProcessor.validatePath(Rfc6265CookieProcessor.java:227) org.apache.tomcat.util.http.Rfc6265CookieProcessor.generateHeader(Rfc6265CookieProcessor.java:152) org.apache.catalina.connector.Response.generateCookieString(Response.java:1019) org.apache.catalina.connector.Response.addCookie(Response.java:967) org.apache.catalina.connector.ResponseFacade.addCookie(ResponseFacade.java:386) javax.servlet.http.HttpServletResponseWrapper.addCookie(HttpServletResponseWrapper.java:58) info.magnolia.cms.security.CsrfTokenSecurityFilter.unloggedRequestCheckPasses(CsrfTokenSecurityFilter.java:174) info.magnolia.cms.security.CsrfTokenSecurityFilter.csrfCheckPasses(CsrfTokenSecurityFilter.java:118) info.magnolia.cms.security.CsrfTokenSecurityFilter.doFilter(CsrfTokenSecurityFilter.java:109) info.magnolia.cms.filters.AbstractMgnlFilter.doFilter(AbstractMgnlFilter.java:85) info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:79) info.magnolia.cms.filters.UnicodeNormalizationFilter.doFilter(UnicodeNormalizationFilter.java:89)
Notes
- In previous version of Magnolia we used to bypass "dot everything". Now that configuration is more refined to include only some dot requests.
- Possibly created by MAGNOLIA-8115 or one of the linked tickets.
- Seems reasonable that adding a bypass for /.imaging would be enough.
Update
Seems to affecting any URI with umlauts. Example from the stories app.
27-Jul-2021 07:15:42.000 SCHWERWIEGEND [http-nio-11080-exec-70] org.apache.catalina.core.StandardWrapperValve.invoke Servlet.service() for servlet [default] in context with path [] threw exception27-Jul-2021 07:15:42.000 SCHWERWIEGEND [http-nio-11080-exec-70] org.apache.catalina.core.StandardWrapperValve.invoke Servlet.service() for servlet [default] in context with path [] threw exception java.lang.IllegalArgumentException: An invalid path [/projekte/Case-Studies~Frank-Börsch~] was specified for this cookie at org.apache.tomcat.util.http.Rfc6265CookieProcessor.validatePath(Rfc6265CookieProcessor.java:227)
Maybe we need a property voter for UTF-8 on the filter as well.
Solution
- ASCII encode request's servletPath for Cookie path
- is duplicated by
-
MAGNOLIA-7991 Invalid path for cookie with special characters
- Closed
-
MGNLCE-262 CsrfTokenSecurityFilter does not encode cookie path
- Closed
- is related to
-
MAGNOLIA-8162 Image URI with spaces cause CsrfTokenSecurityFilter#generateCookie to fail
- Closed
-
MGNLDAM-980 Image with non ASCII characters in its name is not usable in pages app
- Closed
-
MGNLIMG-231 Bypass CsrfTokenSecurityFilter for imaging URIs
- Closed
-
MAGNOLIA-8150 CsrfTokenSecurityFilter could create cookie only for text/html requests
- Closed