-
Bug
-
Resolution: Fixed
-
Low
-
7.19.18, 8.5.5, 8.5.6
-
8
-
Severity 3 - Minor
-
16
-
Issue Summary
This is reproducible on Data Center: (yes)
This is a continuation of the bug CONFSERVER-93655 - Getting HTTP 400 while saving page by using the close button..
If the page template contains one of the following character sets in the content the saving process gets a HTTP 400 message.
../ ..\ …/ …\
Steps to Reproduce
- Create a fresh instance with Confluence 8.5.5
- Create a new page template by navigating to General Configuration —> Global Templates and Blueprints
- Insert ../ to the template and save it
- Gets HTTP 400
The same issue can be reproduce if we try to add the code in Stylesheet as well. This actually works correctly, we don't want to let path traversal strings in stylesheets.
- Choose Administration
> General Configuration > Stylesheet. - Choose Edit.
- Insert ../ to the template and save it
- Gets HTTP 400
Expected Results
The saving process should be completed properly.
Actual Results
Getting HTTP 400 message after clicking the save button.
Workaround
Replace the below character sets with ./ or .\ to resolve the save process.
../ ..\ …/ …\
- followed by
-
-
- Closed
-
- is related to
-
-
- Closed
-
[CONFSERVER-94256] Getting HTTP 400 while saving a page template or Stylesheet
| Link |
New:
This issue followed by |
| Resolution | New: Fixed [ 1 ] | |
| Status | Original: Waiting for Release [ 12075 ] | New: Closed [ 6 ] |
| Status | Original: Awaiting Merge [ 10064 ] | New: Waiting for Release [ 12075 ] |
| Fix Version/s | New: 8.9.1 [ 107890 ] |
| UIS | Original: 17 | New: 16 |
| Fix Version/s | New: 8.5.9 [ 107992 ] |
| Remote Link | New: This issue links to "Page (Extranet)" [ 896186 ] |
| Fix Version/s | Original: 8.5.9 [ 107992 ] | |
| Fix Version/s | Original: 8.9.1 [ 107890 ] |
| Fix Version/s | New: 8.5.9 [ 107992 ] | |
| Fix Version/s | New: 8.9.1 [ 107890 ] |
| Fix Version/s | New: 7.19.22 [ 107995 ] | |
| QA Demo Status | Original: Not Done [ 14330 ] | New: Done [ 14331 ] |
| Testing Notes |
Original:
QA Kick off:
Had discussion to let ../ .../ ...\ ..\ in Global Stylesheet. [https://atlassian.slack.com/archives/C050V37P02Z/p1713329259003099] Allow Path Traversal strings in: * Global template (adding new, editing, description, title, body) * Global Stylesheet Add automated test. Also fixed: * Content tools-> templates * Space Look and feel -> Stylesheet * Space Look and feel -> PDF Layout * Space Look and feel -> PDF Stylesheet * Look and Feel -> Sidebar header and footer |
New:
QA Kick off:
Had discussion to let ../ .../ ...\ ..\ in Global Stylesheet. [https://atlassian.slack.com/archives/C050V37P02Z/p1713329259003099] Allow Path Traversal strings in: * Conf admin->Global template (adding new, editing, description, title, body) * Conf admin->Stylesheets Add automated test. Also fixed: * Conf admin->PDF Layout * Conf admin->PDF Stylesheets * Space -> Content tools-> templates * Space -> Look and feel -> Stylesheet * Space -> Look and feel -> PDF Layout * Space -> Look and feel -> PDF Stylesheet * Space -> Look and Feel -> Sidebar header and footer During demo realised there are other fields which don't accept PT strings. Raised Jira tickets for them: * user login page * user management (find, add new) * shortcut links |
| Status | Original: In Review [ 10051 ] | New: Awaiting Merge [ 10064 ] |