You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The current implementation of the vertx-rest-storage performs a path cleanup for every request before handling it. The cleanup is made with the following method:
privateStringcleanPath(Stringvalue) {
value = value.replaceAll("\\.\\.", "").replaceAll("\\/\\/", "/");
while (value.endsWith("/")) {
value = value.substring(0, value.length() - 1);
}
if (value.isEmpty()) {
return"/";
}
returnvalue;
}
This cleanup contains the removal of double slashes. According to RFC3986 Section 3.3 double slashes in URIs are valid and therefore should be respected.
Since the current implementation removes double slashes before handling the request, problems can occur because the client does not expect this behaviour.
Example:
The following request defines a login entry of a user which belongs to a department:
PUT /logins/zips/560060/users/IT_Department/userA
The next request comes from a user having a department with an empty name:
PUT /logins/zips/560060/users//userB
Since vertx-rest-storage removes the double slashes, the request will be changed to:
PUT /logins/zips/560060/users/userB
which writes the userB where the department should have been written.
Solution
The path processing behaviour should be configurable via module configuration. The property called pathProcessingStrategy takes the values unmodified and cleaned. This behaviour will be applied to all requests.
However, to provide more flexibility and to not break clients already using this "wrong" behaviour I would suggest to add an additional http header
Problem
The current implementation of the vertx-rest-storage performs a path cleanup for every request before handling it. The cleanup is made with the following method:
This cleanup contains the removal of double slashes. According to RFC3986 Section 3.3 double slashes in URIs are valid and therefore should be respected.
Since the current implementation removes double slashes before handling the request, problems can occur because the client does not expect this behaviour.
Example:
The following request defines a login entry of a user which belongs to a department:
The next request comes from a user having a department with an empty name:
Since vertx-rest-storage removes the double slashes, the request will be changed to:
which writes the userB where the department should have been written.
Solution
The path processing behaviour should be configurable via module configuration. The property called pathProcessingStrategy takes the values unmodified and cleaned. This behaviour will be applied to all requests.
However, to provide more flexibility and to not break clients already using this "wrong" behaviour I would suggest to add an additional http header
which overrides the behaviour per request. Without this header, the behaviour configured in the pathProcessingStrategy property will be used.
The text was updated successfully, but these errors were encountered: