search

itsthatguy / avatars-api-middleware

The express middleware for our avatars service
http://avatars.adorable.io
Other
749 stars 96 forks source link

Identifier can result in a 404 #102

Closed nopor closed 4 years ago

nopor commented 4 years ago

What is happening? If the identifier ‘..’ is chosen, the result is actually a 404.

What is expected? An image as usual.

URL: https://api.adorable.io/avatars/285/..

However, it works with the suffix .png (https://api.adorable.io/avatars/285/...png)

rylnd commented 4 years ago

Hi @nopor, thanks for filing the issue!

. and .. are reserved sequences in URI segments and hold special meaning (reference). The URI /foo/bar/../baz would resolve to /foo/baz, and /avatars/285/.. in this case is resolving to /avatars, which leads to the 404 you're seeing. Appending the suffix means it's no longer a reserved sequence, and things work as expected.

I don't think that we can circumvent this, nor would we want to if we could. I would recommend modifying your requests such that the string .. is never the sole identifier, which you've already shown one way of doing (appending a suffix). You could also encode the identifier in some way (base64, etc.) to similar effect.

I hope that helps!

nopor commented 4 years ago

Hi @rylnd,

Yes, that's why I was filing this report. It could be resolved just for this specific servlet, though at least in the demo it could be prevented in order to not have an empty image on display.

Thanks for the quick answer. I suppose we can close the issue then, since it was more about to raise awareness.