[MGNLIMG-231] Bypass CsrfTokenSecurityFilter for imaging URIs Created: 05/Aug/21  Updated: 16/Nov/21  Resolved: 05/Aug/21

Status: Closed
Project: Imaging
Component/s: None
Affects Version/s: 3.4.4
Fix Version/s: None

Type: Task Priority: Neutral
Reporter: Federico Grilli Assignee: Federico Grilli
Resolution: Won't Do Votes: 0
Labels: csrf, maintenance
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: PNG File imaging.png    
Issue Links:
relation
is related to MAGNOLIA-8142 Non ASCII characters in URIs interfer... Closed
is related to MAGNOLIA-8150 CsrfTokenSecurityFilter could create ... Closed
Template:
Acceptance criteria:
Empty
Task DoR:
Empty
Sprint: Maintenance 68

 Description   

If there is a non ASCII character (e.g. an Umlaut) in the URI of an imaging request it returns a 500 error.

HTTP Status 500 – Internal Server ErrorType Exception ReportMessage An invalid path [/.imaging/default/dam/sntde/Bilder/logistikbilder/frau-mit-zebra-gerät-warehouse.jpg/jcr:content.jpg] was specified for this cookieDescription The server encountered an unexpected condition that prevented it from fulfilling the request.Exceptionjava.lang.IllegalArgumentException: An invalid path [/.imaging/default/dam/sntde/Bilder/logistikbilder/frau-mit-zebra-gerät-warehouse.jpg/jcr:content.jpg] was specified for this cookie
	org.apache.tomcat.util.http.Rfc6265CookieProcessor.validatePath(Rfc6265CookieProcessor.java:227)
	org.apache.tomcat.util.http.Rfc6265CookieProcessor.generateHeader(Rfc6265CookieProcessor.java:152)
	org.apache.catalina.connector.Response.generateCookieString(Response.java:1019)
	org.apache.catalina.connector.Response.addCookie(Response.java:967)
	org.apache.catalina.connector.ResponseFacade.addCookie(ResponseFacade.java:386)
	javax.servlet.http.HttpServletResponseWrapper.addCookie(HttpServletResponseWrapper.java:58)
	info.magnolia.cms.security.CsrfTokenSecurityFilter.unloggedRequestCheckPasses(CsrfTokenSecurityFilter.java:174)
	info.magnolia.cms.security.CsrfTokenSecurityFilter.csrfCheckPasses(CsrfTokenSecurityFilter.java:118)
	info.magnolia.cms.security.CsrfTokenSecurityFilter.doFilter(CsrfTokenSecurityFilter.java:109)
	info.magnolia.cms.filters.AbstractMgnlFilter.doFilter(AbstractMgnlFilter.java:85)
	info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:79)
	info.magnolia.cms.filters.UnicodeNormalizationFilter.doFilter(UnicodeNormalizationFilter.java:89)

Notes

  • In previous version of Magnolia we used to bypass "dot everything". Now that configuration is more refined to include only some dot requests.
  • Possibly created by MAGNOLIA-8115 or one of the linked tickets.
  • Seems reasonable that adding a bypass for /.imaging would be enough.

 


Generated at Mon Feb 12 02:13:34 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.