Issue #3555 - Do not reveal base resource in error response

Signed-off-by: Joakim Erdfelt <joakim.erdfelt@gmail.com>

jetty-server/src/main/java/org/eclipse/jetty/server/handler/DefaultHandler.java

@@ -21,7 +21,6 @@ package org.eclipse.jetty.server.handler;
 import java.io.IOException;
 import java.io.OutputStream;
 import java.net.URL;
-
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
@@ -142,9 +141,7 @@ public class DefaultHandler extends AbstractHandler
                     writer.write(context.getContextPath());
                     if (context.getVirtualHosts()!=null && context.getVirtualHosts().length>0)
                         writer.write(" @ "+context.getVirtualHosts()[0]+":"+request.getLocalPort());
-                    writer.write(" ---> ");
-                    writer.write(context.toString());
-                    writer.write("</a></li>\n");
+                    writer.write("&nbsp;</a></li>\n");
                 }
                 else
                 {
@@ -152,7 +149,7 @@ public class DefaultHandler extends AbstractHandler
                     writer.write(context.getContextPath());
                     if (context.getVirtualHosts()!=null && context.getVirtualHosts().length>0)
                         writer.write("&nbsp;@&nbsp;"+context.getVirtualHosts()[0]+":"+request.getLocalPort());
-                    writer.write("&nbsp;--->&nbsp;");
+                    writer.write("&nbsp;");
                     writer.write(context.toString());
                     if (context.isFailed())
                         writer.write(" [failed]");

jetty-servlet/src/test/java/org/eclipse/jetty/servlet/DefaultHandlerTest.java

@@ -0,0 +1,101 @@
+//
+//  ========================================================================
+//  Copyright (c) 1995-2018 Mort Bay Consulting Pty. Ltd.
+//  ------------------------------------------------------------------------
+//  All rights reserved. This program and the accompanying materials
+//  are made available under the terms of the Eclipse Public License v1.0
+//  and Apache License v2.0 which accompanies this distribution.
+//
+//      The Eclipse Public License is available at
+//      http://www.eclipse.org/legal/epl-v10.html
+//
+//      The Apache License v2.0 is available at
+//      http://www.opensource.org/licenses/apache2.0.php
+//
+//  You may elect to redistribute this code under either of these licenses.
+//  ========================================================================
+//
+
+package org.eclipse.jetty.servlet;
+
+import java.io.File;
+
+import org.eclipse.jetty.server.LocalConnector;
+import org.eclipse.jetty.server.Server;
+import org.eclipse.jetty.server.handler.DefaultHandler;
+import org.eclipse.jetty.server.handler.HandlerList;
+import org.eclipse.jetty.toolchain.test.FS;
+import org.eclipse.jetty.toolchain.test.MavenTestingUtils;
+import org.eclipse.jetty.util.resource.PathResource;
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Test;
+
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.containsString;
+import static org.hamcrest.Matchers.not;
+
+public class DefaultHandlerTest
+{
+    private Server server;
+    private LocalConnector localConnector;
+    private File baseA;
+    private File baseFoo;
+
+    @Before
+    public void startServer() throws Exception
+    {
+        server = new Server();
+
+        localConnector = new LocalConnector(server);
+        server.addConnector(localConnector);
+
+        File docRoot = MavenTestingUtils.getTargetTestingDir(DefaultHandlerTest.class.getName());
+        FS.ensureDirExists(docRoot);
+
+        baseA = new File(docRoot, "baseA");
+        FS.ensureDirExists(baseA);
+
+        baseFoo = new File(docRoot, "baseFoo");
+        FS.ensureDirExists(baseFoo);
+
+        ServletContextHandler contextA = new ServletContextHandler();
+        contextA.setContextPath("/a");
+        contextA.setBaseResource(new PathResource(baseA));
+
+        ServletContextHandler contextFoo = new ServletContextHandler();
+        contextFoo.setContextPath("/foo");
+        contextFoo.setBaseResource(new PathResource(baseFoo));
+
+        HandlerList handlers = new HandlerList();
+        handlers.addHandler(contextA);
+        handlers.addHandler(contextFoo);
+        handlers.addHandler(new DefaultHandler());
+
+        server.setHandler(handlers);
+        server.start();
+    }
+
+    @After
+    public void stopServer() throws Exception
+    {
+        server.stop();
+    }
+
+    @Test
+    public void testNotRevealBaseResource() throws Exception
+    {
+        StringBuilder req = new StringBuilder();
+        req.append("GET / HTTP/1.0\r\n");
+        req.append("\r\n");
+
+        String rawResponse = localConnector.getResponses(req.toString());
+        assertThat(rawResponse, containsString("404 Not Found"));
+        assertThat(rawResponse, containsString("No context on this server matched or handled this request"));
+        assertThat(rawResponse, containsString("Contexts known to this server are"));
+        assertThat(rawResponse, containsString("<a href=\"/a\">"));
+        assertThat(rawResponse, containsString("<a href=\"/foo\">"));
+        assertThat(rawResponse, not(containsString(baseA.toString())));
+        assertThat(rawResponse, not(containsString(baseFoo.toString())));
+    }
+}