Use createInternal more…

everywhere that we know, where the passed on path is already in its encoded form. Also stop collapsing double slashes, as java.net.URI.normalize() now does it for us. Still continue eating slashes at end of path. Also do not try to encode an empty path (makes normal operation fail).
eXist-db · Jul 12, 2015 · a297977 · a297977
1 parent adb4a8c
commit a297977
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 15 deletions.
diff --git a/src/org/exist/http/RESTServer.java b/src/org/exist/http/RESTServer.java
@@ -387,13 +387,7 @@ public void doGet(final DBBroker broker, final HttpServletRequest request,
         }
         // Process the request
         DocumentImpl resource = null;
-        String pathStr = path; // path comes straight from jetty via EXistServlet
-        // eat trailing slash(es), else collection resources might not be found
-        while(pathStr.endsWith("/")) { pathStr = pathStr.substring(0, pathStr.length()-1); }
-        // collapse preceding slashes, else resources might not be found
-        while(pathStr.startsWith("//")) { pathStr = pathStr.substring(1); }
-        // path is understood to be already in its encoded form
-        final XmldbURI pathUri = XmldbURI.createInternal(pathStr);
+        final XmldbURI pathUri = XmldbURI.createInternal(path);
         try {
             // check if path leads to an XQuery resource
             final String xquery_mime_type = MimeType.XQUERY_TYPE.getName();
@@ -542,7 +536,7 @@ public void doHead(final DBBroker broker, final HttpServletRequest request,
             throws BadRequestException, PermissionDeniedException,
             NotFoundException, IOException {
 
-        final XmldbURI pathUri = XmldbURI.create(path);
+        final XmldbURI pathUri = XmldbURI.createInternal(path);
         if (checkForXQueryTarget(broker, pathUri, request, response)) {
             return;
         }
@@ -622,7 +616,7 @@ public void doPost(final DBBroker broker, final HttpServletRequest request,
         }
 
         final Properties outputProperties = new Properties(defaultOutputKeysProperties);
-        final XmldbURI pathUri = XmldbURI.create(path);
+        final XmldbURI pathUri = XmldbURI.createInternal(path);
         DocumentImpl resource = null;
 
         final String encoding = outputProperties.getProperty(OutputKeys.ENCODING);
@@ -1116,7 +1110,7 @@ public void doPut(final DBBroker broker, final XmldbURI path,
 
     public void doDelete(final DBBroker broker, final String path, final HttpServletRequest request, final HttpServletResponse response)
             throws PermissionDeniedException, NotFoundException, IOException, BadRequestException {
-        final XmldbURI pathURI = XmldbURI.create(path);
+        final XmldbURI pathURI = XmldbURI.createInternal(path);
         if (checkForXQueryTarget(broker, pathURI, request, response)) {
             return;
         }
@@ -1274,7 +1268,7 @@ protected void search(final DBBroker broker, final String query,
             }
         }
 
-        final XmldbURI pathUri = XmldbURI.create(path);
+        final XmldbURI pathUri = XmldbURI.createInternal(path);
         try {
             final Source source = new StringSource(query);
             final XQuery xquery = broker.getBrokerPool().getXQueryService();

diff --git a/src/org/exist/http/servlets/EXistServlet.java b/src/org/exist/http/servlets/EXistServlet.java
@@ -118,7 +118,7 @@ protected void doPut(HttpServletRequest request, HttpServletResponse response) t
         }
 
         try(final DBBroker broker = getPool().get(user)) {
-            final XmldbURI dbpath = XmldbURI.create(path);
+            final XmldbURI dbpath = XmldbURI.createInternal(path);
             final Collection collection = broker.getCollection(dbpath);
             if (collection != null) {
                 response.sendError(400, "A PUT request is not allowed against a plain collection path.");
@@ -158,7 +158,7 @@ private String adjustPath(HttpServletRequest request) throws ServletException {
         String path = request.getPathInfo();
 
         if (path == null) {
-            path = "";
+            return "";
         }
 
 LOG.info(" In: " + path);
@@ -175,6 +175,10 @@ private String adjustPath(HttpServletRequest request) throws ServletException {
         } catch (final URISyntaxException e) {
             throw new ServletException(e.getMessage(), e);
         }
+        // eat trailing slashes, else collections might not be found
+        while(path.endsWith("/")) {
+            path = path.substring(0, path.length() - 1);
+        }
         // path now is in proper canonical encoded form
 LOG.info("Out: " + path);
 

diff --git a/test/src/org/exist/http/RESTServiceTest.java b/test/src/org/exist/http/RESTServiceTest.java
@@ -126,9 +126,9 @@ public class RESTServiceTest {
      */
     // Below String mostly contains the PCHAR set literally; the colon fails though, so its omitted…
     // Also in the mix: some (mandatory except %27) escapes, some multibyte UTF-8 characters
-    // and a superficial directory traversal
+    // and a superficial directory traversal and a superficial double slash too
     private final static String RESOURCE_URI_PLUS = SERVER_URI + XmldbURI.ROOT_COLLECTION +
-            "/test/../test/A-Za-z0-9_~!$&'()*+,;=@%20%23%25%27%2F%3F%5B%5Däöü.xml";
+            "/test//../test/A-Za-z0-9_~!$&'()*+,;=@%20%23%25%27%2F%3F%5B%5Däöü.xml";
 
     private final static String XML_DATA = "<test>"
             + "<para>\u00E4\u00E4\u00FC\u00FC\u00F6\u00F6\u00C4\u00C4\u00D6\u00D6\u00DC\u00DC</para>"