[MAGNOLIA-6858] Duplicate context path in request still allows for serving content Created: 03/Nov/16  Updated: 09/Dec/16  Resolved: 06/Dec/16

Status: Closed
Project: Magnolia
Component/s: None
Affects Version/s: 5.4.9
Fix Version/s: 5.4.11, 5.5.1

Type: Bug Priority: Neutral
Reporter: Ondrej Chytil Assignee: Federico Grilli
Resolution: Fixed Votes: 0
Labels: support
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
relation
Template:
Acceptance criteria:
Empty
Task DoD:
[ ]* Doc/release notes changes? Comment present?
[ ]* Downstream builds green?
[ ]* Solution information and context easily available?
[ ]* Tests
[ ]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Bug DoR:
[ ]* Steps to reproduce, expected, and actual results filled
[ ]* Affected version filled
Date of First Response:
Sprint: Basel 73
Story Points: 5

 Description   

Magnolia is stripping the context path when setting the current URI in AggregationState using info.magnolia.cms.core.AggregationState.stripContextPathIfExists(String). During the filter chain process setCurrentURI() method is called several times which results in stripping the context path more than once. As a result a context path can appear twice in the requested URL and the content is still served . For instance http://localhost:8080/magnoliaPublic/magnoliaPublic/travel.html, context path /magnoliaPublic is removed twice thus resulting in a valid handle /travel.html. Therefore the page will be served, even though the original URI should have caused a 404 error.

The issue can reproduced "out of the box", so to say, on an EE instance where MultiSiteFilter actually causes AggregationState#setCurrentURI() to be called more than once thus revealing the issue. On a plain CE instance this is not immediately apparent but it would suffice another Filter calling that method (besides ContentTypeFilter which is always called and used to basically initialise the AggregationState) to cause the issue.


Generated at Mon Feb 12 04:18:30 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.