Uploaded image for project: 'Imaging'
  1. Imaging
  2. MGNLIMG-231

Bypass CsrfTokenSecurityFilter for imaging URIs

XMLWordPrintable

    • Icon: Task Task
    • Resolution: Won't Do
    • Icon: Neutral Neutral
    • None
    • 3.4.4
    • None
    • Maintenance 68

      If there is a non ASCII character (e.g. an Umlaut) in the URI of an imaging request it returns a 500 error.

      HTTP Status 500 – Internal Server ErrorType Exception ReportMessage An invalid path [/.imaging/default/dam/sntde/Bilder/logistikbilder/frau-mit-zebra-gerät-warehouse.jpg/jcr:content.jpg] was specified for this cookieDescription The server encountered an unexpected condition that prevented it from fulfilling the request.Exceptionjava.lang.IllegalArgumentException: An invalid path [/.imaging/default/dam/sntde/Bilder/logistikbilder/frau-mit-zebra-gerät-warehouse.jpg/jcr:content.jpg] was specified for this cookie
	org.apache.tomcat.util.http.Rfc6265CookieProcessor.validatePath(Rfc6265CookieProcessor.java:227)
	org.apache.tomcat.util.http.Rfc6265CookieProcessor.generateHeader(Rfc6265CookieProcessor.java:152)
	org.apache.catalina.connector.Response.generateCookieString(Response.java:1019)
	org.apache.catalina.connector.Response.addCookie(Response.java:967)
	org.apache.catalina.connector.ResponseFacade.addCookie(ResponseFacade.java:386)
	javax.servlet.http.HttpServletResponseWrapper.addCookie(HttpServletResponseWrapper.java:58)
	info.magnolia.cms.security.CsrfTokenSecurityFilter.unloggedRequestCheckPasses(CsrfTokenSecurityFilter.java:174)
	info.magnolia.cms.security.CsrfTokenSecurityFilter.csrfCheckPasses(CsrfTokenSecurityFilter.java:118)
	info.magnolia.cms.security.CsrfTokenSecurityFilter.doFilter(CsrfTokenSecurityFilter.java:109)
	info.magnolia.cms.filters.AbstractMgnlFilter.doFilter(AbstractMgnlFilter.java:85)
	info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:79)
	info.magnolia.cms.filters.UnicodeNormalizationFilter.doFilter(UnicodeNormalizationFilter.java:89)

      Notes

      • In previous version of Magnolia we used to bypass "dot everything". Now that configuration is more refined to include only some dot requests.
      • Possibly created by MAGNOLIA-8115 or one of the linked tickets.
      • Seems reasonable that adding a bypass for /.imaging would be enough.

       

        Acceptance criteria

          1. imaging.png
            imaging.png
            116 kB

              fgrilli Federico Grilli
              fgrilli Federico Grilli
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved:

                  Task DoR