VersionedClientlibsTransformerFactory - ACSHASH-parameter is not enforced

[henrykuijpers]

Recently, the md5 enforce feature was added to the VersionedClientlibsTransformerFactory. However, this parameter does not actually enforce the md5 to be present.

I.e. I can still do a call to http://localhost:4502/etc/designs/project/clientlibs/header.min.f14368c685b1b113261f1da335a28107.css to get the CSS file and thus avoiding the whole filter

And also: http://localhost:4502/etc/designs/project/clientlibs/header.min.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.css http://localhost:4502/etc/designs/project/clientlibs/header.min.thisisnotmd5.css

https://github.com/Adobe-Consulting-Services/acs-aem-commons/blob/e6bdb0edad52c9d5f670f52ec8a9d5a4184c2441/bundle/src/main/java/com/adobe/acs/commons/rewriter/impl/VersionedClientlibsTransformerFactory.java

[justinedelson]

None of those would be URLs generated by the transformer factory, so these don't seem like valid use cases. Only the URL pattern generated by the transformer factory is checked.

[henrykuijpers]

What is the reason this force option was created? Purely to validate that a certain MD5 isn't current anymore?

[justinedelson]

Correct. It checks the hash in the request path and compares it against the current hash.