[ICE-9942] NPE when pathInfo is not available - ICEsoft JIRA Issue Tracker

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: EE-3.2.0.GA, 3.3
Fix Version/s: EE-3.3.0.GA_P02
Component/s: Framework
Labels:
None
Environment:
Any

Description

Work done in ~~ICE-8772~~ left open the possibility for a NullPointerException when pathInfo is not part of the request URL.

The initial work was to help secure requests with URLs that might contain relative references. This meant getting and assessing the pathInfo but did not guard against pathInfo being null.

Issue Links

is duplicated by

ICE-9939 NPE in CompatResourceServlet on URL's without path info ("http://host/url-pattern/")

Open

Activity

Hide

Permalink

Deryk Sinotte added a comment - 26/Mar/14 2:16 PM

Added a guard against pathInfo being null:

        String path = httpServletRequest.getPathInfo();

        if(path != null && path.contains("..")){
            log.log(Level.WARNING, "resource path is potentially unsafe " + path);
            httpServletResponse.setStatus(404, "Resource not found");
            return;
        }

Show

Deryk Sinotte added a comment - 26/Mar/14 2:16 PM Added a guard against pathInfo being null: String path = httpServletRequest.getPathInfo(); if (path != null && path.contains( ".." )){ log.log(Level.WARNING, "resource path is potentially unsafe " + path); httpServletResponse.setStatus(404, "Resource not found" ); return ; }

People

Assignee:

Deryk Sinotte

Reporter:

Deryk Sinotte

Votes:

0 Vote for this issue

Watchers:

1 Start watching this issue

Dates

Created:

26/Mar/14 2:12 PM

Updated:

14/Nov/14 5:42 PM

Resolved:

26/Mar/14 2:16 PM