url-pattern for favicon.ico is too loose - intercepts REST requests

If someone creates a favicon.ico file in their own repository, then they go to the Bitbucket web interface to look at it, they may get put into an infinite redirect loop to the login page.

The issue is that the servlet-filter for FaviconInterceptor is too loose and handles requests that it shouldn't. See: https://bitbucket.org/atlassianlabs/stash-look-and-feel-plugin/src/adb8e4a01676033e79bd4009d4d5b730ae208d32/src/main/resources/atlassian-plugin.xml?at=master&fileviewer=file-view-default#atlassian-plugin.xml-90

One of the affected URLs would be /rest/api/latest/projects/PROJ/repos/REPO/pull-requests/1/diff/src/main/resources/images/favicon.ico?avatarSize=64&markup=true&whitespace&contextLines=-1&withComments=undefined

In the case of the diff screen, a redirect loop occurs because a REST request is made that doesn't return an X-AUSERNAME header in the response (because the response is just a png), so the UI believes the user has been logged out and redirects them to login. Since /login knows they aren't logged out, it redirects back to the diff page.

Comments (4)