[MAGNOLIA-1564] Accessing a page without proper extension should return 404 error Created: 31/May/07  Updated: 19/Dec/16  Resolved: 04/Nov/15

Status: Closed
Project: Magnolia
Component/s: core, templating
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: zam6ak Assignee: Unassigned
Resolution: Won't Do Votes: 1
Labels: errorhandling, quality, security
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

3.1-SNAPSHOT
JBoss 4.0.5GA


Issue Links:
duplicate
is duplicated by MAGNOLIA-5886 New possible optional filter: Redirec... Accepted
is duplicated by MAGNOLIA-2384 display pages only with defined exten... Closed
relation
is related to MAGNOLIA-2383 TemplateRenderer should be instantiat... Closed
is related to MAGNOLIA-3452 Content-type of a rendered page shoul... Closed
Template:
Acceptance criteria:
Empty
Task DoD:
[ ]* Doc/release notes changes? Comment present?
[ ]* Downstream builds green?
[ ]* Solution information and context easily available?
[ ]* Tests
[ ]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Date of First Response:

 Description   

Since there was some discussion on the dev list regarding this (see http://old.nabble.com/extension-on-pages-td10879033.html) I thought it would be prudent to report it.

Problem:

Accessing a page without proper extension does not return a 404 - Page not found error

http://server.company.org/magnoliaPublic/www/doesnotexist/page1.html (404 - not found)
http://server.company.org/magnoliaPublic/www/page1 (found !)
http://server.company.org/magnoliaPublic/www/page1.doesnotexist (found !)
http://server.company.org/magnoliaPublic/www/page1.whatever (found !)

The behaviour should be consistent and only cetrain extensions should be valid (perhaps default server extension and defined subtemplates,,,,)

As you can see in the list thread this may not be easy to accomplish...



 Comments   
Comment by zam6ak [ 06/Jun/07 ]

This may or may not be related but another interesting detail regarding images uploaded via fckEditor:

regardless of the image extension and/or name in the URL the image always displays...

For example:

upload "someimage.jpg" on page1 paragraph 00.....

direct URL is:
http://server.company.org/magnoliaPublic/www/page1/center-column/00/content_files/file/someimage.jpg

but all of these also work:

http://server.company.org/magnoliaPublic/www/page1/center-column/00/content_files/file/s
http://server.company.org/magnoliaPublic/www/page1/center-column/00/content_files/file/someimage
http://server.company.org/magnoliaPublic/www/page1/center-column/00/content_files/file/someimagejpg
http://server.company.org/magnoliaPublic/www/page1/center-column/00/content_files/file/some-image-jpg
http://server.company.org/magnoliaPublic/www/page1/center-column/00/content_files/file/Whatever_I_want_to_put_in_here

If this is desired behaviour then so be it
but imagine some reputable public website with a person's picture (lastname-firstname.jpg) and some malicious user sending links with profane language as a last part of the url....
The could put in whatever they want and the picture would still show....
To an ordinary end user it would appear as if the company is hosting a valid image with an obscene name! Not good...

Comment by Michael Mühlebach [ 04/Nov/15 ]

Given the thousands of other issues we have open that are more highly requested, we won't be able to address this issue in the foreseeable future. Instead we will focus on issues with a higher impact, and more votes.
Thanks for taking the time to raise this issue. As you are no doubt aware this issue has been on our backlog for some time now with very little movement.
I'm going to close this to set expectations so the issue doesn't stay open for years with few updates. If the issue is still relevant please feel free to reopen it or create a new issue.

Generated at Mon Feb 12 03:28:08 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.