Apache Felix returns false positive when /system/console returns 301

Open jwadolowski opened this issue 8 years ago • 0 comments

SecureCQ version: 1.3.1

secure_aem_false_positive

At the same time

$ curl -v https://dev.example.com/system/console/ -o /dev/null
...
> GET /system/console HTTP/1.1
> Host: dev.example.com
> User-Agent: curl/7.53.1
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< Content-Type: text/html; charset=iso-8859-1
< Date: Mon, 04 Sep 2017 12:37:08 GMT
< Location: https://dev.example.com/system/console/
< Server: Apache
< Content-Length: 252
< Connection: keep-alive

When I follow redirects I get 404

$ curl -v https://dev.example.com/system/console/ -o /dev/null
> GET /system/console HTTP/1.1
> Host: dev.example.com
> User-Agent: curl/7.53.1
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< Content-Type: text/html; charset=iso-8859-1
< Date: Mon, 04 Sep 2017 12:38:05 GMT
< Location: https://dev.example.com/system/console/
< Server: Apache
< Content-Length: 252
< Connection: keep-alive
<
> GET /system/console/ HTTP/1.1
> Host: dev.example.com
> User-Agent: curl/7.53.1
> Accept: */*
>
< HTTP/1.1 404 Not Found
< Accept-Ranges: bytes
< Content-Type: text/html; charset=UTF-8
< Date: Mon, 04 Sep 2017 12:38:05 GMT
< Last-Modified: Mon, 04 Sep 2017 10:35:38 GMT
< Server: Apache
< X-Content-Type-Options: nosniff
< X-Frame-Options: SAMEORIGIN
< X-Request-ID: Wa1JLZ--61UQKao-HPCBDAAAAXY
< Content-Length: 83201
< Connection: keep-alive

All in all, rules that rely on HTTP status codes should follow redirects before producing final status.

Sep 04 '17 12:09 jwadolowski