Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-17823

Browse index.html URL encode forward slashes as %2f possibly creating blocked URLs

    XMLWordPrintable

Details

    Description

      Go to Browse. Navigate to tree node that contains assets. Open the HTML view of the assets. The index.html page will list the asset paths using URL encoded forward slashes ( %2f). Example:

       

      <!DOCTYPE html>
<html>
<head>
<title>Index of /com/oracle/coherence/coherence/12.1.3-0-0</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>


<!--[if lt IE 9]>
<script>(new Image).src="http://localhost:8081/favicon.ico?3.13.0-01"</script>
<![endif]-->
<link rel="icon" type="image/png" href="http://localhost:8081/favicon-32x32.png?3.13.0-01" sizes="32x32">
<link rel="mask-icon" href="http://localhost:8081/safari-pinned-tab.svg?3.13.0-01" color="#5bbad5">
<link rel="icon" type="image/png" href="http://localhost:8081/favicon-16x16.png?3.13.0-01" sizes="16x16">
<link rel="shortcut icon" href="http://localhost:8081/favicon.ico?3.13.0-01">
<meta name="msapplication-TileImage" content="http://localhost:8081/mstile-144x144.png?3.13.0-01">
<meta name="msapplication-TileColor" content="#00a300">

<link rel="stylesheet" type="text/css" href="http://localhost:8081/static/css/nexus-content.css?3.13.0-01"/>
</head>
<body class="htmlIndex">
<h1>Index of /com/oracle/coherence/coherence/12.1.3-0-0</h1>


<table cellspacing="10">
<tr>
<th align="left">Name</th>
<th>Last Modified</th>
<th>Size</th>
<th>Description</th>
</tr>
<tr>
<td><a href="../">Parent Directory</a></td>
</tr>
<tr>
<td><a href="http://localhost:8081/repository/maven-oracle/com%2Foracle%2Fcoherence%2Fcoherence%2F12.1.3-0-0%2Fcoherence-12.1.3-0-0.jar">coherence-12.1.3-0-0.jar</a></td>
<td>
Fri Aug 17 09:28:33 ADT 2018
</td>
<td align="right">
8604514
</td>
<td></td>
</tr>
</table>
</body>
</html>

       

      URL encoding in general is needed for safety, but encoded forward slashes don't have to be. In fact we already know this causes problems when Apache httpd is in front of Nexus because the default setup of Apache httpd as a reverse proxy is to NOT allow encoded slashes to pass through. In that case, following the URL will return 404 not found which is really confusing.

      This %2F encoding has been the crux of many support tickets we are tired of seeing of which can all be avoided in our products if we don't encode forward slashes like this.

      Related:

      -NEXUS-10570-

      https://help.sonatype.com/repomanager3/installation/run-behind-a-reverse-proxy#RunBehindaReverseProxy-ApachehttpdwithnpmRepositories

      Attachments

        Issue Links

          is related to

          Story - Created by Jira Software - do not edit or delete. Issue type for a user story. NEXUS-10570 document best practice for url encoding/decoding through reverse proxies

          • Major - Major loss of function.
          • Done

          Activity

            People

              Unassigned Unassigned
              plynch Peter Lynch
              Peter Lynch Peter Lynch
              Votes:
              1 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                tigCommentSecurity.panel-title