Details
-
Improvement
-
Resolution: Unresolved
-
Minor
-
None
-
13.10-rc-1
-
None
-
None
-
Unknown
-
Description
See also XWIKI-19081
In order to not have to configure jetty with jetty.httpConfig.uriCompliance=RFC3986 we would need to fix all places in XWiki where URL path elements can contain the % symbol (which gets encoded as %25)
Some examples:
- Various APIs manipulating Space/Doc names - For this we could forbid the % characters in page names by default, same as we do for / and \ for Tomcat
- Async job REST API which take double encoded ids in input. Thus, any character in the job id that contains characters that are special URL characters (: / ? # [ ] @ ! $ & ' ( ) * + , ; =) are url-encoded, leading to % being used, which then is encoded as %25 and triggers the Jetty URL compliance check. For example, if the async macro is used on a page that contains any of these characters.
- Generic Job REST API when the id contains a %. While nothing prevent it, it currently tends to be rare in XWiki Standard except for jobs related to pages which reference contains a % (which could be fixed by a general embargo on % in pages references as described in a previous point) and async rendering jobs (which are currently generally manipulated through a dedicated API, but it would affect XWIKI-16666) but that could change with new kind of jobs.
- <add other places here>
Attachments
Issue Links
- relates to
-
XWIKI-19081 % in URL paths is broken on Jetty 10.0.3+ in integration tests
-
- Closed
-