[MAGNOLIA-532] Filenames with special characters produce 403 Created: 20/Aug/05  Updated: 23/Jan/13  Resolved: 06/Oct/05

Status: Closed
Project: Magnolia
Component/s: None
Affects Version/s: None
Fix Version/s: 2.1 Final

Type: Bug Priority: Major
Reporter: Michael Aemisegger Assignee: Sameer Charles
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: 0.75d
Time Spent: Not Specified
Original Estimate: 0.75d
Environment:

all


Template:
Acceptance criteria:
Empty
Task DoD:
[ ]* Doc/release notes changes? Comment present?
[ ]* Downstream builds green?
[ ]* Solution information and context easily available?
[ ]* Tests
[ ]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Bug DoR:
[ ]* Steps to reproduce, expected, and actual results filled
[ ]* Affected version filled
Date of First Response:

 Description   

Example: If the filename specified in the samples download paragraph contains special characters (e.g. german umlaute), then magnolia returns a 403 http status code. Even if the requested filename is URL encoded.

In AccessManagerImpl.getPermissions(String) the requested URL is matched against the ACL. The internal ACL patterns do not support special characters, hence a AccessDeniedException is thrown.



 Comments   
Comment by Michael Aemisegger [ 20/Aug/05 ]

Sorry, wrong project. Can you redirect this bug to magnolia-wcm?

Comment by Sameer Charles [ 05/Oct/05 ]

michael, I cannot reproduce this bug. Since URL is encoded I dont see how is it possible that access manager failed to check.

for example

/home/headerä.jpg
will be encoded in
header%C3%A4.jpg

Comment by Michael Aemisegger [ 05/Oct/05 ]

I can. On the page 'Magnolia Products' of the demo site I changed

magnolia_bpm_V2.pdf

to

magnolia_bpm_V2_äöü.pdf

result is a 403. I use Firefox 1.0.4 on Linux.

Comment by Alexandru Popescu [ 05/Oct/05 ]

I cannot reproduce it with Magnolia trunk on Windows and Firefox 1.0.7.

Michael can you debug it and tell us where this is happening? Thanks,

./alex

.w( the_mindstorm )p.

Comment by Michael Aemisegger [ 05/Oct/05 ]

Hey, all information already is in the description.

What about the document link I changed on the demo site? Can you click on it and view the document or do you get a 403?

Comment by Sameer Charles [ 05/Oct/05 ]

Authorization changed in current trunk and this has been fixed.

Its a bug in released version 2.1

Comment by Alexandru Popescu [ 05/Oct/05 ]

I am trying to help here... so sorry for asking about more infos .

Indeed I get an 403 with the message
WARN info.magnolia.cms.servlets.EntryServlet EntryServlet.java(doGet:165) 05.10.2005 17:24:26 User not allowed to Read path [/features/magnolia-product-info/mainColumnParagraphs/01/document/magnolia_bpm_V2_äöü]

The problem comes from the SimpleUrlPattern which is using a java.util.regex.Pattern that does not allow UTF-8 chars.

Comment by Sameer Charles [ 06/Oct/05 ]

updated on svn, added unicode regex pattern

http://svn.magnolia.info/svn/magnolia/branches/magnolia2.1/src/main/info/magnolia/cms/util/SimpleUrlPattern.java
http://svn.magnolia.info/svn/magnolia/trunk/magnolia-core/src/main/java/info/magnolia/cms/util/SimpleUrlPattern.java

Generated at Mon Feb 12 03:18:21 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.