Archiva
  1. Archiva
  2. MRM-893

Illegal browse operation allow

    Details

    • Type: Bug Bug
    • Status: Closed Closed
    • Priority: Minor Minor
    • Resolution: Fixed
    • Affects Version/s: 1.1
    • Fix Version/s: 1.1.2
    • Component/s: browser
    • Labels:
      None
    • Patch Submitted:
      Yes
    • Number of attachments :
      3

      Description

      http://archiva.openqa.org/repository/releases/org/openqa/selenium/client-drivers/selenium-client-drivers/0.9.2/selenium-client-drivers-0.9.2-tests.jar/ <-- note the last forward slash

      return the jar which is illegal

      http://repo1.maven.org/maven2/HTTPClient/HTTPClient/0.3-3/HTTPClient-0.3-3.jar/

      return http 404 which is correct.

      This bug crashes maven-staging-plugin with wagon-beta-3 since it tries to pass the content of the jar to
      the html parser and crashes with ArrayOutOfIndex exception.

      see http://jira.codehaus.org/browse/MRM-891 for details.

      Sorry I am not able provide patch at this moment.

      1. MRM-893.patch
        2 kB
        Dan Tran
      2. MRM-893-2.patch
        3 kB
        Dan Tran
      3. MRM-893-3.patch
        3 kB
        Dan Tran

        Activity

        Hide
        Dan Tran added a comment -

        please lower the priority, since I think i get maven-stage-plugin to prevent this condition from reaching archiva

        Show
        Dan Tran added a comment - please lower the priority, since I think i get maven-stage-plugin to prevent this condition from reaching archiva
        Hide
        Brett Porter added a comment -

        I agree this is incorrect, but disagree it's a blocker.

        Why is the staging plugin trying to read it as a directory? Shouldn't it be interpreting that from the directory listing?

        Show
        Brett Porter added a comment - I agree this is incorrect, but disagree it's a blocker. Why is the staging plugin trying to read it as a directory? Shouldn't it be interpreting that from the directory listing?
        Hide
        Dan Tran added a comment -

        actually it is not the stage plugin, but the lightway http wagon automatically puts last '/' to the basePath
        wagon.getFileList( basePath ).

        Show
        Dan Tran added a comment - actually it is not the stage plugin, but the lightway http wagon automatically puts last '/' to the basePath wagon.getFileList( basePath ).
        Hide
        Dan Tran added a comment -

        what is the best way to fix this bug? I am clueless to which part of the source to look for.

        Also, I prefer this fix rather than fixing staging plugin since it may make the stage plugin
        fix kind a http specific.

        Show
        Dan Tran added a comment - what is the best way to fix this bug? I am clueless to which part of the source to look for. Also, I prefer this fix rather than fixing staging plugin since it may make the stage plugin fix kind a http specific.
        Hide
        Brett Porter added a comment -

        RepositoryServlet

        Show
        Brett Porter added a comment - RepositoryServlet
        Hide
        Dan Tran added a comment -

        seems like it is inside jackrabbit

        Show
        Dan Tran added a comment - seems like it is inside jackrabbit
        Hide
        Dan Tran added a comment -

        just want to confirm the issue is in Jackrabit

        // check matching if=header for lock-token relevant operations
        resource =
        getResourceFactory().createResource( webdavRequest.getRequestLocator(), webdavRequest, webdavResponse );

        which slides thru instead of throwing an exception

        Show
        Dan Tran added a comment - just want to confirm the issue is in Jackrabit // check matching if=header for lock-token relevant operations resource = getResourceFactory().createResource( webdavRequest.getRequestLocator(), webdavRequest, webdavResponse ); which slides thru instead of throwing an exception
        Hide
        Brett Porter added a comment -

        I think the request locator is ours, is it possible it is in there?

        Show
        Brett Porter added a comment - I think the request locator is ours, is it possible it is in there?
        Hide
        Dan Tran added a comment -

        your are right it is in ArchivaDavResourceLocator

        under this block

        //Remove trailing slashes otherwise Text.getRelativeParent fails
        if (resourcePath.endsWith("/") && resourcePath.length() > 1)

        { path = resourcePath.substring( 0, resourcePath.length() - 1 ); }

        as you can see the trailing slashes are purposely removed

        Show
        Dan Tran added a comment - your are right it is in ArchivaDavResourceLocator under this block //Remove trailing slashes otherwise Text.getRelativeParent fails if (resourcePath.endsWith("/") && resourcePath.length() > 1) { path = resourcePath.substring( 0, resourcePath.length() - 1 ); } as you can see the trailing slashes are purposely removed
        Hide
        Brett Porter added a comment -

        nice catch! If you're able to test and submit a patch that'd be most helpful in applying it to the next release

        Show
        Brett Porter added a comment - nice catch! If you're able to test and submit a patch that'd be most helpful in applying it to the next release
        Hide
        Dan Tran added a comment -

        attached is the fix + test. I found a better way to handle this specific condition without removing the intended behavior of purposely removing the end slashed when computing the local path

        Show
        Dan Tran added a comment - attached is the fix + test. I found a better way to handle this specific condition without removing the intended behavior of purposely removing the end slashed when computing the local path
        Hide
        Dan Tran added a comment -

        MRM-893-2.patch has a better test coverage

        Show
        Dan Tran added a comment - MRM-893 -2.patch has a better test coverage
        Hide
        Dan Tran added a comment -

        more tests, just to make sure i dont break any thing. this is it.

        Show
        Dan Tran added a comment - more tests, just to make sure i dont break any thing. this is it.
        Hide
        Maria Odea Ching added a comment -

        Patch applied in trunk -r685076. Thanks Dan!

        Show
        Maria Odea Ching added a comment - Patch applied in trunk -r685076. Thanks Dan!

          People

          • Assignee:
            Maria Odea Ching
            Reporter:
            Dan Tran
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: