-
Type:
Bug
-
Resolution: Unresolved
-
Priority:
Low
-
None
-
Affects Version/s: 4.20.2
-
Component/s: Assets - Core experiences
-
3
-
Severity 2 - Major
-
2
Issue Summary
Insight allows the uploading of attachment with forbidden character, example discovered so far:
[ ]
The filename is sent to the client verbatim, with out any encoding, which is illegal.
The affected URL is http://localhost:48202/j8202/rest/insight/1.0/attachments/<ID>/<FILENAME>
Steps to Reproduce
- Browse to an Insight Object
- In lower left hand corner, upload attachment with forbidden character, eg, [IMG_1701.jpg
- Note the upload succeeds
- Click the attachment file name
Expected Results
Attachment downloads
Actual Results
The image fails to load, instead showing an error 500 page:
Sorry, we had some technical problems during your last operation.
Cause:
java.lang.IllegalArgumentException: Illegal character in path at index 60: http://localhost:48202/j8202/rest/insight/1.0/attachments/1/[IMG_1701.jpg at java.base/java.net.URI.create(URI.java:883) [?:?] at javax.ws.rs.core.UriBuilder.fromUri(UriBuilder.java:95) [jsr311-api-1.1.1.jar:?] at com.atlassian.plugins.rest.module.RestDelegatingServletFilter$JerseyOsgiServletContainer.doFilter(RestDelegatingServletFilter.java:153) [?:?] at com.sun.jersey.spi.container.servlet.ServletContainer.doFilter(ServletContainer.java:829) [?:?] ... at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:616) [tomcat-coyote.jar:8.5.65] ... at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) [?:?] at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) [?:?] at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-util.jar:8.5.65] at java.base/java.lang.Thread.run(Thread.java:829) [?:?] Caused by: java.net.URISyntaxException: Illegal character in path at index 60: http://localhost:48202/j8202/rest/insight/1.0/attachments/1/[IMG_1701.jpg at java.base/java.net.URI$Parser.fail(URI.java:2913) [?:?] at java.base/java.net.URI$Parser.checkChars(URI.java:3084) [?:?] at java.base/java.net.URI$Parser.parseHierarchical(URI.java:3166) [?:?] at java.base/java.net.URI$Parser.parse(URI.java:3114) [?:?] at java.base/java.net.URI.<init>(URI.java:600) [?:?] at java.base/java.net.URI.create(URI.java:881) [?:?]
Workaround
Workaround 1
Delete the attachment, and re-upload using a filename without forbidden character
Workaround 2
This workaround will seamlessly correct the problem for [ and ] characters.
- Edit JIRA_INSTALL/atlassian-jira/WEB-INF/urlrewrite.xml
- Add the following above the </urlrewrite> tag
<!-- JSDSERVER-10975 Encode Insight Attachment forbidden characters A rule is required for each character being blocked. Only the first <to> element requires the context path (if applicable) Tuckey is prepending the context path on subsequent request. The $1 is the attachment ID, and $2 is the filename sent to the client. Condition is required to prevent unlimited redirects. The to sections encode [ and ] to %5B and %5D respectively. The unencoded characters are illegal according java.net.URI.create which our rest module uses. Redirection was required. We can't use ${encode} because it encodes space to + --> <rule> <name>1/2 IAL JSDSERVER-10975 Encode [</name> <from>/rest/insight/1.0/attachments/(.*)/(.*)</from> <condition type="request-uri">rest/insight/1.0/attachments/.*/(.*\[.*)</condition> <condition type="method">GET</condition> <to type="redirect">/YOURCONTEXT/rest/insight/1.0/attachments/$1/${replace:$2:\[:%5B}</to> </rule> <rule> <name>2/2 IAL JSDSERVER-10975 Encode ]</name> <from>/rest/insight/1.0/attachments/(.*)/(.*)</from> <condition type="request-uri">rest/insight/1.0/attachments/.*/(.*\[.*)</condition> <condition type="method">GET</condition> <to type="redirect">/rest/insight/1.0/attachments/$1/${replace:$2:\]:%5D}</to> </rule> - If you have a context path (EG http://sample.com/jira/browse/TEST-12345), then replace YOURCONTEXT. If you have no context path, remove /YOURCONTEXT
- Restart Jira service
