[MAGNOLIA-8142] Non ASCII characters in URIs interfere with CsrfTokenSecurityFilter Created: 26/Jul/21  Updated: 05/Nov/21  Resolved: 06/Aug/21

Status: Closed
Project: Magnolia
Component/s: None
Affects Version/s: 5.7.11, 6.2.10
Fix Version/s: 5.7.12, 6.2.12

Type: Bug Priority: Neutral
Reporter: Richard Gange Assignee: Federico Grilli
Resolution: Fixed Votes: 0
Labels: maintenance
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: PNG File imaging.png    
Issue Links:
Relates
causality
duplicate
is duplicated by MAGNOLIA-7991 Invalid path for cookie with special ... Closed
is duplicated by MGNLCE-262 CsrfTokenSecurityFilter does not enco... Closed
relation
is related to MAGNOLIA-8162 Image URI with spaces cause CsrfToken... Closed
is related to MGNLDAM-980 Image with non ASCII characters in it... Closed
is related to MGNLIMG-231 Bypass CsrfTokenSecurityFilter for im... Closed
is related to MAGNOLIA-8150 CsrfTokenSecurityFilter could create ... Closed
Template:
Acceptance criteria:
Empty
Task DoD:
[X]* Doc/release notes changes? Comment present?
[X]* Downstream builds green?
[X]* Solution information and context easily available?
[X]* Tests
[X]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Bug DoR:
[X]* Steps to reproduce, expected, and actual results filled
[X]* Affected version filled
Date of First Response:
Sprint: Maintenance 68

 Description   

If there is e.g. umlaut in the URI of an imaging request it returns a 500 error.

HTTP Status 500 – Internal Server ErrorType Exception ReportMessage An invalid path [/.imaging/default/dam/sntde/Bilder/logistikbilder/frau-mit-zebra-gerät-warehouse.jpg/jcr:content.jpg] was specified for this cookieDescription The server encountered an unexpected condition that prevented it from fulfilling the request.Exceptionjava.lang.IllegalArgumentException: An invalid path [/.imaging/default/dam/sntde/Bilder/logistikbilder/frau-mit-zebra-gerät-warehouse.jpg/jcr:content.jpg] was specified for this cookie
	org.apache.tomcat.util.http.Rfc6265CookieProcessor.validatePath(Rfc6265CookieProcessor.java:227)
	org.apache.tomcat.util.http.Rfc6265CookieProcessor.generateHeader(Rfc6265CookieProcessor.java:152)
	org.apache.catalina.connector.Response.generateCookieString(Response.java:1019)
	org.apache.catalina.connector.Response.addCookie(Response.java:967)
	org.apache.catalina.connector.ResponseFacade.addCookie(ResponseFacade.java:386)
	javax.servlet.http.HttpServletResponseWrapper.addCookie(HttpServletResponseWrapper.java:58)
	info.magnolia.cms.security.CsrfTokenSecurityFilter.unloggedRequestCheckPasses(CsrfTokenSecurityFilter.java:174)
	info.magnolia.cms.security.CsrfTokenSecurityFilter.csrfCheckPasses(CsrfTokenSecurityFilter.java:118)
	info.magnolia.cms.security.CsrfTokenSecurityFilter.doFilter(CsrfTokenSecurityFilter.java:109)
	info.magnolia.cms.filters.AbstractMgnlFilter.doFilter(AbstractMgnlFilter.java:85)
	info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:79)
	info.magnolia.cms.filters.UnicodeNormalizationFilter.doFilter(UnicodeNormalizationFilter.java:89)

Notes

  • In previous version of Magnolia we used to bypass "dot everything". Now that configuration is more refined to include only some dot requests.
  • Possibly created by MAGNOLIA-8115 or one of the linked tickets.
  • Seems reasonable that adding a bypass for /.imaging would be enough.

Update
Seems to affecting any URI with umlauts. Example from the stories app.

27-Jul-2021 07:15:42.000 SCHWERWIEGEND [http-nio-11080-exec-70] org.apache.catalina.core.StandardWrapperValve.invoke Servlet.service() for servlet [default] in context with path [] threw exception27-Jul-2021 07:15:42.000 SCHWERWIEGEND [http-nio-11080-exec-70] org.apache.catalina.core.StandardWrapperValve.invoke Servlet.service() for servlet [default] in context with path [] threw exception java.lang.IllegalArgumentException: An invalid path [/projekte/Case-Studies~Frank-Börsch~] was specified for this cookie at org.apache.tomcat.util.http.Rfc6265CookieProcessor.validatePath(Rfc6265CookieProcessor.java:227) 

Maybe we need a property voter for UTF-8 on the filter as well.

Solution

  • ASCII encode request's servletPath for Cookie path

Generated at Mon Feb 12 04:30:01 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.