ICEfaces
  1. ICEfaces
  2. ICE-9942

NPE when pathInfo is not available

          Details

          • Type: Bug Bug
          • Status: Closed
          • Priority: Major Major
          • Resolution: Fixed
          • Affects Version/s: EE-3.2.0.GA, 3.3
          • Fix Version/s: EE-3.3.0.GA_P02
          • Component/s: Framework
          • Labels:
            None
          • Environment:
            Any

            Description

            Work done in ICE-8772 left open the possibility for a NullPointerException when pathInfo is not part of the request URL.

            The initial work was to help secure requests with URLs that might contain relative references. This meant getting and assessing the pathInfo but did not guard against pathInfo being null.

              Issue Links

              is duplicated by

              Bug - A problem which impairs or prevents the functions of the product. ICE-9939 NPE in CompatResourceServlet on URL's without path info ("http://host/url-pattern/")

              • Major - Major loss of function.
              • Open

                Activity

                Ascending order - Click to sort in descending order
                Deryk Sinotte created issue -
                Deryk Sinotte made changes -
                Field Original Value New Value
                Assignee Deryk Sinotte [ deryk.sinotte ]
                Deryk Sinotte made changes -
                Fix Version/s EE-3.3.0.GA_P02 [ 11371 ]
                Hide
                Permalink
                Deryk Sinotte added a comment -

                Added a guard against pathInfo being null:

                        String path = httpServletRequest.getPathInfo();

        if(path != null && path.contains("..")){
            log.log(Level.WARNING, "resource path is potentially unsafe " + path);
            httpServletResponse.setStatus(404, "Resource not found");
            return;
        }
                Show
                Deryk Sinotte added a comment - Added a guard against pathInfo being null: String path = httpServletRequest.getPathInfo(); if (path != null && path.contains( ".." )){ log.log(Level.WARNING, "resource path is potentially unsafe " + path); httpServletResponse.setStatus(404, "Resource not found" ); return ; }
                Deryk Sinotte made changes -
                Status Open [ 1 ] Resolved [ 5 ]
                Resolution Fixed [ 1 ]
                Kairat Rakhimov made changes -
                Link This issue is duplicated by ICE-9939 [ ICE-9939 ]
                Ken Fyten made changes -
                Status Resolved [ 5 ] Closed [ 6 ]

                  People

                  • Assignee:
                    Deryk Sinotte
                    Reporter:
                    Deryk Sinotte
                  • Votes:
                    0 Vote for this issue
                    Watchers:
                    1 Start watching this issue

                    Dates

                    • Created:
                      Updated:
                      Resolved: