-
Bug
-
Resolution: Done
-
Major
-
2.1.7.Final
-
None
-
-
Undefined
-
https://github.com/undertow-io/undertow/pull/1117, https://github.com/undertow-io/undertow/pull/1118, https://github.com/undertow-io/undertow/pull/1119, https://github.com/undertow-io/undertow/pull/1151, https://github.com/undertow-io/undertow/pull/1152, https://github.com/undertow-io/undertow/pull/1153
In Undertow, when the class io.undertow.util.CanonicalPathUtils is used to canonicalize a given path URI, it may ignore some two-dot segments (../) when the calculated path goes beyond/outside the servlet context.
The javadoc of getRequestDipatcher says:
The pathname specified may be relative, although it cannot extend outside the current servlet context. If the path begins with a "/" it is interpreted as relative to the current context root. This method returns null if the servlet container cannot return a RequestDispatcher.
So a path like /../../../something is currently returning the dispatcher to /something which is against the spec or at least very weird. Returning null is much more aligned with the spec and with the reference implementation.
There will be a way (system property) of setting back the previous behavior just in case.
- causes
-
JBEAP-23475 Error processing request when path contains "/../../"
- Closed
-
JBEAP-21589 [GSS](7.3.z) UNDERTOW-1886 - Undertow ignores two-dot segments in relative path URI when its canonicalized path is outside servlet context
- Closed
-
JBEAP-21749 [GSS](7.4.z) UNDERTOW-1886 - Undertow ignores two-dot segments in relative path URI when its canonicalized path is outside servlet context
- Closed
- is incorporated by
-
WFCORE-5425 Upgrade Undertow from 2.2.6.Final to 2.2.8.Final
- Closed