[MAGNOLIA-6640] PermissionUtils / SimpleUrlPattern handle "." as "any chart" while matching uri permissions Created: 22/Apr/16  Updated: 04/Mar/19  Resolved: 04/Mar/19

Status: Closed
Project: Magnolia
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Neutral
Reporter: Matteo Pelucco Assignee: Unassigned
Resolution: Duplicate Votes: 1
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
duplicate
Template:
Acceptance criteria:
Empty
Task DoD:
[ ]* Doc/release notes changes? Comment present?
[ ]* Downstream builds green?
[ ]* Solution information and context easily available?
[ ]* Tests
[ ]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Bug DoR:
[ ]* Steps to reproduce, expected, and actual results filled
[ ]* Affected version filled
Date of First Response:

 Description   

In servlet mapping you have several servlets with a DOT mapping:

/.magnolia/admincentral
/.rest/*
..and many more

The intention is to map any URL of this form:

  • http://<domain>:<port>/.magnolia/admincentral
  • http://<domain>:<port>/.rest/<service>
    ...

These URLs are blocked on public instance for user anonyous due to its role rules:

  • DENY /.magnolia/admincentral
  • DENY /.rest*
    ...

SiteUriSecurityFilter relies on PermissionsUtil to do a propert match between the request path and user uri permissions, but every line is converted to a regex, where "." means "any chart".

This will ends up as having undesired URI alias showing Magnolia login:

  • http://<domain>:<port>/amagnolia/admincentral
  • http://<domain>:<port>/bmagnolia/admincentral
  • http://<domain>:<port>/<x>magnolia/admincentral
  • http://<domain>:<port>/arest/<service>
  • http://<domain>:<port>/brest/<service>
  • http://<domain>:<port>/<x>rest/<service>

DEMO: https://demopublic.magnolia-cms.com/amagnolia/admincentral



 Comments   
Comment by Matteo Pelucco [ 22/Apr/16 ]

workaround: change anonymous role permissions from

/.rest*

to

\/\.rest*
Comment by Mikaël Geljić [ 04/Mar/19 ]

has been fixed since MAGNOLIA-6542 / as far back as Magnolia 5.4.6.

Generated at Mon Feb 12 04:16:26 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.