-
Notifications
You must be signed in to change notification settings - Fork 161
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: do not serve UI for invalid location #11552
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That fix handles only one case: open a page with location which we don't accept.
But as I understand it won't do anything if navigation happens from the correct location to the location ".." using a router link.
So the code which catch the invalid location should be somewhere inside Router handling code.
And there is already some code which handles invalid location. But it does it in a specific way.
And then there is a question how it should handle it: 503 vs 404 is a semantical difference.
".." is invalid because we are trying to prevent traversing resources via waling using parent directory. So every such attempt is disallowed and 503 is used to indicate that: it's disallowed.
On the other hand ".." is an attempt to go to the parent which doesn't exist in this specific case described in the ticket. And it should be 404 because it doesn't exist.
There is a number of issue with that:
- ".." currently is always "invalid" URL and 503 is returned,
- ".." should return 404 for "/.." according to the ticket
- if "foo" an existing route and "/" is a route then ".." should work fine if you are at the moment in the "foo" route since it becomes "foo/.." and it should be translated to "/" which is working route.
So the current 503 error handles everything semantically as: wrong URL and you should not try to use ".." ever inside the URL.
The ticket wants to distinguish ".." segment inside URL and it's significant efforts to implement.
I personally don't see serious benefit to have 404 code instead of 503.
The current approach allows to handle all this cases in a similar way.
I cannot say that the expected behavior in the ticket is really expected even though it makes sense.
The current behavior : 503 for every URL which contains ".." makes sense for me as well. So we disallow every URL which contains "..".
That would be another thing, which I'm not sure how relevant/important it is, but anyway it can be another ticket if necessary.
@denis-anisimov I don't understand 503 error like that, can you please elaborate how you see it like that ? To me 503 error is about service not available and in e.g. https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/503 it says
To me there is a clear distinction between server getting an invalid URL that won't work and service being down for maintenance. Thus 503 is not the right thing, and I think 400 (not 404) which e.g. Tomcat uses is something we should align with.
So to me there is a clear difference between the two that is being fixed for initial bootstrapping. |
Update : I haven't noticed that 400 is used instead of 404 (as initially requested in the ticket). So part of my comments is irrelevant. My bad. Well, I don't know which error code is more suitable. This is not relevant anymore: if we use a code which indicate an error (not 404) then it's fine: I don't see this is as a separate issue since it's exactly the question: whether we treat ".." as invalid generally (and then it's a some error code which is not 404) or depending on request it's either valid or not. The invalid URL is handled inside the Router logic and the fix should go there instead of boostrapping. The current fix location is just in a wrong place. So instead of covering all the cases including the router navigation it's located on the top of the stacktrace with catching only one specific case and it uses a hack: instantiate a The fix moved into the Router on the other hand will handle every case properly and generally. I don't know this functionality enough. @caalador knows thus much better and the code is written mostly by him. |
I was referring to 404 since the original ticket description talks about 404. But now I see 400 in the fix. I've missed that . So the error code 400 is fine I think. But anyway: the logic should be somewhere inside router code which creates a |
flow-server/src/main/java/com/vaadin/flow/server/BootstrapHandler.java
Outdated
Show resolved
Hide resolved
flow-server/src/main/java/com/vaadin/flow/server/BootstrapHandler.java
Outdated
Show resolved
Hide resolved
flow-server/src/main/java/com/vaadin/flow/router/LocationUtil.java
Outdated
Show resolved
Hide resolved
d4d2a44
to
fdb789a
Compare
flow-server/src/test/java/com/vaadin/flow/router/LocationTest.java
Outdated
Show resolved
Hide resolved
3a2539f
to
83193a1
Compare
InvalidUrlTest.invalidUrlAtInitialization_uiInitialiazesAsExpected is getting the wrong response.
The test probably has something to do with the strange |
The test seems broken indeed as it is using |
Fixes #9443 for legacy bootstrapping mode. Can be picked for 2.x
SonarQube analysis reported 6 issues
|
Fixes #9443 for legacy bootstrapping mode. Can be picked for 2.x
Hi @pleku and @caalador, when i performed cherry-pick to this commit to 2.7, i have encountered the following issue. Can you take a look and pick it manually? |
Fixes #9443 for legacy bootstrapping mode. Can be picked for 2.x
This ticket/PR has been released with platform 22.0.0.alpha2 and is also targeting the upcoming stable 22.0.0 version. |
Fixes #9443 for Flow 2.x (V14).
This ticket/PR has been released with platform 14.7.0.rc1 and is also targeting the upcoming stable 14.7.0 version. |
Fixes #9443 for legacy bootstrapping mode.
IT and fix for Flow 3+ bootstrapping will come next. This commit can be picked to Flow 2.x with the IT from the other PR.