[MAGNOLIA-8162] Image URI with spaces cause CsrfTokenSecurityFilter#generateCookie to fail Created: 23/Aug/21  Updated: 10/Nov/21  Resolved: 01/Nov/21

Status: Closed
Project: Magnolia
Component/s: None
Affects Version/s: 6.2.12
Fix Version/s: None

Type: Bug Priority: Neutral
Reporter: Federico Grilli Assignee: Unassigned
Resolution: Obsolete Votes: 1
Labels: csrf, maintenance
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
duplicate
is duplicated by MAGNOLIA-8220 Assets with space on its filename mak... Closed
relation
is related to MAGNOLIA-8150 CsrfTokenSecurityFilter could create ... Closed
is related to MAGNOLIA-8142 Non ASCII characters in URIs interfer... Closed
Template:
Acceptance criteria:
Empty
Task DoD:
[ ]* Doc/release notes changes? Comment present?
[ ]* Downstream builds green?
[ ]* Solution information and context easily available?
[ ]* Tests
[ ]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Bug DoR:
[X]* Steps to reproduce, expected, and actual results filled
[X]* Affected version filled
Date of First Response:

 Description   

If request.getServletPath() contains spaces, then URI(path) throws

Exception in thread "main" java.net.URISyntaxException: Illegal character in path at index 51: /dam/jcr:d0836006-76be-458d-baa0-fd03ee061e57/image name with spaces.jpg
	at java.base/java.net.URI$Parser.fail(URI.java:2913)
	at java.base/java.net.URI$Parser.checkChars(URI.java:3084)
	at java.base/java.net.URI$Parser.parseHierarchical(URI.java:3166)
	at java.base/java.net.URI$Parser.parse(URI.java:3125)
	at java.base/java.net.URI.<init>(URI.java:600)
	at Scratch.main(Scratch.java:14)

Wondering why image links use asset name instead of JCR name (which has spaces replaced with dash). Possibly for SEO reasons? 

At any rate, solving MAGNOLIA-8150 would likely make this issue obsolete. 

Workaround:

  • Add bypasses for /dam and /.imaging URIs


 Comments   
Comment by Michael Duerig [ 01/Nov/21 ]

Not a problem any more. With MAGNOLIA-7899 the servlet path is not part of the cookie any more.

 

 

Generated at Mon Feb 12 04:30:12 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.