Details

    • Type: Bug Bug
    • Status: Open
    • Priority: Major Major
    • Resolution: Unresolved
    • Affects Version/s: 4.0
    • Fix Version/s: future release
    • Component/s: security
    • Labels:
      None
    • Environment:

      Nucleus

      Description

      The CommandSecurityChecker is creating AzResource URI by URL encoding the URI Path with the following logical operation:

      new URI(ADMIN_RESOURCE_SCHEME, URLEncoder.encode(resourceName, RESOURCE_NAME_URL_ENCODING), null)

      As an example, when using input resourceName as "/users/user/admin" this approach results in the following output from the constructed URI object:

      URI.toString() 'admin:%252Fusers%252Fuser%252Fadmin'
      URI.toASCIIString() 'admin:%252Fusers%252Fuser%252Fadmin'
      uri.getAuthority() 'null'
      uri.getPath() 'null'

      thus yielding the AzResource based on the URI object unable to obtain proper the proper Path information.

        Activity

        Hide
        Craig Perez added a comment -

        Without URL encoding the following more expected output results:

        URI.toString() 'admin:/users/user/admin'
        URI.toASCIIString() 'admin:/users/user/admin'
        uri.getAuthority() 'null'
        uri.getPath() '/users/user/admin'

        Show
        Craig Perez added a comment - Without URL encoding the following more expected output results: URI.toString() 'admin:/users/user/admin' URI.toASCIIString() 'admin:/users/user/admin' uri.getAuthority() 'null' uri.getPath() '/users/user/admin'

          People

          • Assignee:
            Tim Quinn
            Reporter:
            Craig Perez
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated: