[
https://issues.apache.org/jira/browse/SLING-12844?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Remo Liechti updated SLING-12844:
---------------------------------
Fix Version/s: (was: Engine 3.0.0)
(was: Engine 2.16.2)
Affects Version/s: Engine 2.16.4
Engine 3.0.0
Description:
See related issue SLING-12697 that has weakened the checks for committed
responses to not flag cases for {{sendRedirect}} and {{sendError.}}
However, this check is not sufficient enough. In cases where the response is
committed for other reasons than sendRedirect or sendError, violations still
need to be flagged.
The check needs to distinguish the cases of sendRedirect and sendError, to not
flag a violation, but also detect committed responses for other cases, such as:
* manually committed responses that are done through code, like response.
* responses that get committed because the buffer if full and needs to be
flushed
* any others...
was:
For some edge cases, where a response was committed already (i.e. due to
sendRedirect or send Error), misleading information is provided for content
type header change violations (see SLING-12478).
When reading [the servlet api
spec|https://download.oracle.com/otndocs/jcp/servlet-3_1-fr-eval-spec/index.html],
we can see that in 5.4 Convenience Methods, where we talk about
{{sendRedirect}} and {{{}sendError{}}}:
{noformat}
These methods will have the side effect of committing the response, if it has
not already been committed, and terminating it. No further output to the client
should be made by the servlet after these methods are called. If data is
written to the response after these methods are called, the data is
ignored.{noformat}
Right now, changes to content type header are ignored by the response
implementation and comply the servlet api. However, when it comes to detection
of a potential violation, a false positive is created. The log message shows a
violation, even when the content type header is not changed afterwards.
Issue Type: Bug (was: Improvement)
Priority: Major (was: Minor)
> Potential origins of violations to the RequestDispatcher include API skips
> too many on committed responses
> ----------------------------------------------------------------------------------------------------------
>
> Key: SLING-12844
> URL: https://issues.apache.org/jira/browse/SLING-12844
> Project: Sling
> Issue Type: Bug
> Components: Engine
> Affects Versions: Engine 3.0.0, Engine 2.16.4
> Reporter: Remo Liechti
> Assignee: Remo Liechti
> Priority: Major
>
> See related issue SLING-12697 that has weakened the checks for committed
> responses to not flag cases for {{sendRedirect}} and {{sendError.}}
> However, this check is not sufficient enough. In cases where the response is
> committed for other reasons than sendRedirect or sendError, violations still
> need to be flagged.
> The check needs to distinguish the cases of sendRedirect and sendError, to
> not flag a violation, but also detect committed responses for other cases,
> such as:
> * manually committed responses that are done through code, like response.
> * responses that get committed because the buffer if full and needs to be
> flushed
> * any others...
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
