Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-17823

Browse index.html URL encode forward slashes as %2f possibly creating blocked URLs

    Details

      Description

      Go to Browse. Navigate to tree node that contains assets. Open the HTML view of the assets. The index.html page will list the asset paths using URL encoded forward slashes ( %2f). Example:

       

      <!DOCTYPE html>
      <html>
      <head>
      <title>Index of /com/oracle/coherence/coherence/12.1.3-0-0</title>
      <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
      
      
      <!--[if lt IE 9]>
      <script>(new Image).src="http://localhost:8081/favicon.ico?3.13.0-01"</script>
      <![endif]-->
      <link rel="icon" type="image/png" href="http://localhost:8081/favicon-32x32.png?3.13.0-01" sizes="32x32">
      <link rel="mask-icon" href="http://localhost:8081/safari-pinned-tab.svg?3.13.0-01" color="#5bbad5">
      <link rel="icon" type="image/png" href="http://localhost:8081/favicon-16x16.png?3.13.0-01" sizes="16x16">
      <link rel="shortcut icon" href="http://localhost:8081/favicon.ico?3.13.0-01">
      <meta name="msapplication-TileImage" content="http://localhost:8081/mstile-144x144.png?3.13.0-01">
      <meta name="msapplication-TileColor" content="#00a300">
      
      <link rel="stylesheet" type="text/css" href="http://localhost:8081/static/css/nexus-content.css?3.13.0-01"/>
      </head>
      <body class="htmlIndex">
      <h1>Index of /com/oracle/coherence/coherence/12.1.3-0-0</h1>
      
      
      <table cellspacing="10">
      <tr>
      <th align="left">Name</th>
      <th>Last Modified</th>
      <th>Size</th>
      <th>Description</th>
      </tr>
      <tr>
      <td><a href="../">Parent Directory</a></td>
      </tr>
      <tr>
      <td><a href="http://localhost:8081/repository/maven-oracle/com%2Foracle%2Fcoherence%2Fcoherence%2F12.1.3-0-0%2Fcoherence-12.1.3-0-0.jar">coherence-12.1.3-0-0.jar</a></td>
      <td>
      Fri Aug 17 09:28:33 ADT 2018
      </td>
      <td align="right">
      8604514
      </td>
      <td></td>
      </tr>
      </table>
      </body>
      </html>

       

      URL encoding in general is needed for safety, but encoded forward slashes don't have to be. In fact we already know this causes problems when Apache httpd is in front of Nexus because the default setup of Apache httpd as a reverse proxy is to NOT allow encoded slashes to pass through. In that case, following the URL will return 404 not found which is really confusing.

      This %2F encoding has been the crux of many support tickets we are tired of seeing of which can all be avoided in our products if we don't encode forward slashes like this.

      Related:

      -NEXUS-10570-

      https://help.sonatype.com/repomanager3/installation/run-behind-a-reverse-proxy#RunBehindaReverseProxy-ApachehttpdwithnpmRepositories

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              plynch Peter Lynch
              Last Updated By:
              Peter Lynch Peter Lynch
              Votes:
              1 Vote for this issue
              Watchers:
              4 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Date of First Response:

                  tigCommentSecurity.panel-title