NormaliseUriHandler + BasePathHandler

[Stuart Miller]

Hello all,

We found some of our resources stopped working whilst upgrading from an elderly version of UI up to the latest. After some debugging, we think that the problem is a combination of the NormaliseUriHandler and the BasePathHandler misbehaving.

Let's say the BasePath is set to /foo/. The BasePathHandler is meant to remove /foo/ from all requests so you don't have to specify the whole path in the resource -- eg, /foo/bar will be converted to just bar.

The NormaliseUriHandler kicks in beforehand though, and will change any request to /foo/ to be /foo, which obviously doesn't match the BasePath.

This is an edge case, but it's quite annoying for the first request!

We monkey-patched the RestApplication and swapped the order of the two handlers, which seems to fix the issue, but we're not sure of the purpose of the normalising in the first place.

Any thoughts?

Stuart

[Daniel Worthington-Bodart]

We had our very first security vulnerability disclosed a few months back, where it was possible to make craft a cunning request using "dot segments" to get access to files outside of the correct location of a static bound resource. i.e.

http://utterlidle.server.com/some/static/resource/../../../../../etc/passwd

I fixed it by making the TL Uri class call down and use Java built in URI class but I realise now that I should have done the right thing and actually implement the proper RFC algorithm unlike the hack that is java.net.URI class

https://tools.ietf.org/html/rfc3986#section-5.2.4

--
You received this message because you are subscribed to the Google Groups "utterlyidle" group.
To unsubscribe from this group and stop receiving emails from it, send an email to utterlyidle...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Daniel Worthington-Bodart]

Oh any chance you can raise a issue for this, ideally with a failing test? I'll try and fix this tomorrow.

PS. I hopefully will see you tomorrow evening ;)

[Stuart Miller]

Yep no worries, we'll come up with something tomorrow.

Thanks for the explanation!

[Stuart Miller]

Opened https://github.com/bodar/utterlyidle/issues/2 for this. There is a pull request attached with a failing test -- I couldn't work out a better way of attaching code to an issue.