Expand my Community achievements bar.

SOLVED

Dispatcher : Asset Path security issue

Avatar

Level 3

Hi community

 

I want to write a generic rule to deny this type of path

/content/dam/myproject/asset.jpg/.4.json

/content/dam/myproject/asset.xls/.4.json


I already have this rule in dispatcher and its not applying for this paths

/0081
{
/type "deny"
/selectors '((sys|doc)view|query|[0-9-]+)'
/extension '(json|xml|css|js|xls)'
}
# Deny content grabbing for /content
/0082
{
/type "deny"
/path "/content"
/selectors '(feed|rss|pages|languages|blueprint|infinity|tidy)'
/extension '(json|xml|html|css|js)'
}

Please help

1 Accepted Solution

Avatar

Correct answer by
Community Advisor

Here "/.4.json" is considered a suffix, not a selector. You need to deny suffix from the dispatcher. You can check below example for a reference: 

# Block the use of all suffixes on any resource under /content
/0160 {
  /type "deny" /url "/content*" /suffix "*"
}

For more information about what part of the request line each of these elements references, see the Sling URL Decomposition wiki page.

 

 

View solution in original post

1 Reply

Avatar

Correct answer by
Community Advisor

Here "/.4.json" is considered a suffix, not a selector. You need to deny suffix from the dispatcher. You can check below example for a reference: 

# Block the use of all suffixes on any resource under /content
/0160 {
  /type "deny" /url "/content*" /suffix "*"
}

For more information about what part of the request line each of these elements references, see the Sling URL Decomposition wiki page.