Fixing DefaultServlet Alias Checking
+ Fixing DefaultServletTest.testSymLinks
This commit is contained in:
parent
da2af1141a
commit
0dc65e5588
|
@ -43,7 +43,7 @@ public class SymlinkAllowedResourceAliasChecker extends AllowedResourceAliasChec
|
|||
if (_base == null)
|
||||
return false;
|
||||
|
||||
// do not allow any file separation characters in the URI, as we need to know exactly what are the segments
|
||||
// do not allow any non-URI file separation characters in the URI (such as Windows), as we need to know exactly what are the segments
|
||||
if (File.separatorChar != '/' && pathInContext.indexOf(File.separatorChar) >= 0)
|
||||
return false;
|
||||
|
||||
|
|
|
@ -44,11 +44,9 @@ public class AllowSymLinkAliasChecker implements AliasCheck
|
|||
public boolean check(String pathInContext, Resource resource)
|
||||
{
|
||||
// Only support PathResource alias checking
|
||||
if (!(resource instanceof PathResource))
|
||||
if (!(resource instanceof PathResource pathResource))
|
||||
return false;
|
||||
|
||||
PathResource pathResource = (PathResource)resource;
|
||||
|
||||
try
|
||||
{
|
||||
Path path = pathResource.getPath();
|
||||
|
|
|
@ -32,7 +32,6 @@ import java.util.function.Function;
|
|||
import java.util.function.Predicate;
|
||||
import java.util.stream.Collectors;
|
||||
|
||||
import jakarta.servlet.DispatcherType;
|
||||
import jakarta.servlet.RequestDispatcher;
|
||||
import jakarta.servlet.ServletContext;
|
||||
import jakarta.servlet.ServletException;
|
||||
|
@ -340,6 +339,8 @@ public class DefaultServlet extends HttpServlet
|
|||
}
|
||||
else
|
||||
{
|
||||
|
||||
|
||||
// serve content
|
||||
try (Blocker.Callback callback = Blocker.callback())
|
||||
{
|
||||
|
@ -810,6 +811,17 @@ public class DefaultServlet extends HttpServlet
|
|||
_servletContextHandler = servletContextHandler;
|
||||
}
|
||||
|
||||
@Override
|
||||
public HttpContent getContent(String path, int outputBufferSize) throws IOException
|
||||
{
|
||||
HttpContent httpContent = super.getContent(path, outputBufferSize);
|
||||
|
||||
if (!_servletContextHandler.checkAlias(path, httpContent.getResource()))
|
||||
return null;
|
||||
|
||||
return httpContent;
|
||||
}
|
||||
|
||||
@Override
|
||||
public String getWelcomeTarget(Request coreRequest) throws IOException
|
||||
{
|
||||
|
@ -820,7 +832,9 @@ public class DefaultServlet extends HttpServlet
|
|||
|
||||
HttpServletRequest request = getServletRequest(coreRequest);
|
||||
|
||||
if (request.getDispatcherType() == DispatcherType.INCLUDE)
|
||||
boolean included = request.getAttribute(RequestDispatcher.INCLUDE_REQUEST_URI) != null;
|
||||
|
||||
if (included)
|
||||
{
|
||||
// Servlet 9.3 - don't process welcome target from INCLUDE dispatch
|
||||
return null;
|
||||
|
|
|
@ -1100,7 +1100,6 @@ public class DefaultServletTest
|
|||
defholder.setInitParameter("redirectWelcome", "true");
|
||||
defholder.setInitParameter("welcomeServlets", "false");
|
||||
defholder.setInitParameter("gzip", "false");
|
||||
|
||||
defholder.setInitParameter("maxCacheSize", "1024000");
|
||||
defholder.setInitParameter("maxCachedFileSize", "512000");
|
||||
defholder.setInitParameter("maxCachedFiles", "100");
|
||||
|
@ -1288,7 +1287,6 @@ public class DefaultServletTest
|
|||
* Ensure that oddball directory names are served with proper escaping
|
||||
*/
|
||||
@Test
|
||||
@Disabled
|
||||
public void testWelcomeRedirectDirWithSemicolon() throws Exception
|
||||
{
|
||||
FS.ensureDirExists(docRoot);
|
||||
|
@ -1405,7 +1403,6 @@ public class DefaultServletTest
|
|||
}
|
||||
|
||||
@Test
|
||||
@Disabled
|
||||
public void testSymLinks() throws Exception
|
||||
{
|
||||
FS.ensureDirExists(docRoot);
|
||||
|
@ -1417,8 +1414,8 @@ public class DefaultServletTest
|
|||
Path link = dir.resolve("link.txt");
|
||||
Path rLink = dir.resolve("rlink.txt");
|
||||
Files.writeString(foobar, "Foo Bar", UTF_8);
|
||||
ServletHolder defholder = context.addServlet(DefaultServlet.class, "/");
|
||||
|
||||
ServletHolder defholder = context.addServlet(DefaultServlet.class, "/");
|
||||
defholder.setInitParameter("gzip", "false");
|
||||
|
||||
String rawResponse;
|
||||
|
|
Loading…
Reference in New Issue