Eclipse
/
jetty.project
mirror of https://github.com/jetty/jetty.project.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

482272 Fixed relative symlink checking

This commit is contained in:
Greg Wilkins 2015-11-18 11:13:35 +11:00
parent 4bb63b9e03
commit 12ec44894b
2 changed files with 40 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
jetty-server/src/main/java/org/eclipse/jetty/server/handler/AllowSymLinkAliasChecker.java
View File

@ -86,13 +86,14 @@ public class AllowSymLinkAliasChecker implements AliasCheck
Path d = target.getRoot(); Path d = target.getRoot();
for (Path e:target) for (Path e:target)
{ {
d=d.resolve(e); Path r=d.resolve(e);
d=r;
while (Files.exists(d) && Files.isSymbolicLink(d)) while (Files.exists(d) && Files.isSymbolicLink(d))
{ {
Path link=Files.readSymbolicLink(d); Path link=Files.readSymbolicLink(d);
if (!link.isAbsolute()) if (!link.isAbsolute())
link=d.resolve(link); link=d.getParent().resolve(link);
d=link; d=link;
linked=true; linked=true;
} }

41
jetty-servlet/src/test/java/org/eclipse/jetty/servlet/DefaultServletTest.java
View File

@ -25,6 +25,7 @@ import java.io.FileOutputStream;
import java.io.IOException; import java.io.IOException;
import java.nio.charset.StandardCharsets; import java.nio.charset.StandardCharsets;
import java.nio.file.Files; import java.nio.file.Files;
import java.nio.file.Path;
import java.util.EnumSet; import java.util.EnumSet;
import java.util.regex.Matcher; import java.util.regex.Matcher;
import java.util.regex.Pattern; import java.util.regex.Pattern;
@ -409,13 +410,18 @@ public class DefaultServletTest
} }
@Test @Test
public void testResourceBase() throws Exception public void testSymLinks() throws Exception
{ {
testdir.ensureEmpty(); testdir.ensureEmpty();
File resBase = testdir.getPathFile("docroot").toFile(); File resBase = testdir.getPathFile("docroot").toFile();
FS.ensureDirExists(resBase); FS.ensureDirExists(resBase);
File foobar = new File(resBase, "foobar.txt"); File dir = new File(resBase,"dir");
File link = new File(resBase, "link.txt"); File dirLink = new File(resBase,"dirlink");
File dirRLink = new File(resBase,"dirrlink");
FS.ensureDirExists(dir);
File foobar = new File(dir, "foobar.txt");
File link = new File(dir, "link.txt");
File rLink = new File(dir,"rlink.txt");
createFile(foobar, "Foo Bar"); createFile(foobar, "Foo Bar");
String resBasePath = resBase.getAbsolutePath(); String resBasePath = resBase.getAbsolutePath();
@ -426,20 +432,43 @@ public class DefaultServletTest
String response; String response;
response = connector.getResponses("GET /context/foobar.txt HTTP/1.0\r\n\r\n"); response = connector.getResponses("GET /context/dir/foobar.txt HTTP/1.0\r\n\r\n");
assertResponseContains("Foo Bar", response); assertResponseContains("Foo Bar", response);
if (!OS.IS_WINDOWS) if (!OS.IS_WINDOWS)
{ {
context.clearAliasChecks(); context.clearAliasChecks();
Files.createSymbolicLink(dirLink.toPath(),dir.toPath());
Files.createSymbolicLink(dirRLink.toPath(),new File("dir").toPath());
Files.createSymbolicLink(link.toPath(),foobar.toPath()); Files.createSymbolicLink(link.toPath(),foobar.toPath());
response = connector.getResponses("GET /context/link.txt HTTP/1.0\r\n\r\n"); Files.createSymbolicLink(rLink.toPath(),new File("foobar.txt").toPath());
response = connector.getResponses("GET /context/dir/link.txt HTTP/1.0\r\n\r\n");
assertResponseContains("404", response);
response = connector.getResponses("GET /context/dir/rlink.txt HTTP/1.0\r\n\r\n");
assertResponseContains("404", response);
response = connector.getResponses("GET /context/dirlink/foobar.txt HTTP/1.0\r\n\r\n");
assertResponseContains("404", response);
response = connector.getResponses("GET /context/dirrlink/foobar.txt HTTP/1.0\r\n\r\n");
assertResponseContains("404", response);
response = connector.getResponses("GET /context/dirlink/link.txt HTTP/1.0\r\n\r\n");
assertResponseContains("404", response);
response = connector.getResponses("GET /context/dirrlink/rlink.txt HTTP/1.0\r\n\r\n");
assertResponseContains("404", response); assertResponseContains("404", response);
context.addAliasCheck(new AllowSymLinkAliasChecker()); context.addAliasCheck(new AllowSymLinkAliasChecker());
response = connector.getResponses("GET /context/link.txt HTTP/1.0\r\n\r\n"); response = connector.getResponses("GET /context/dir/link.txt HTTP/1.0\r\n\r\n");
assertResponseContains("Foo Bar", response);
response = connector.getResponses("GET /context/dir/rlink.txt HTTP/1.0\r\n\r\n");
assertResponseContains("Foo Bar", response);
response = connector.getResponses("GET /context/dirlink/foobar.txt HTTP/1.0\r\n\r\n");
assertResponseContains("Foo Bar", response);
response = connector.getResponses("GET /context/dirrlink/foobar.txt HTTP/1.0\r\n\r\n");
assertResponseContains("Foo Bar", response);
response = connector.getResponses("GET /context/dirlink/link.txt HTTP/1.0\r\n\r\n");
assertResponseContains("Foo Bar", response);
response = connector.getResponses("GET /context/dirrlink/link.txt HTTP/1.0\r\n\r\n");
assertResponseContains("Foo Bar", response); assertResponseContains("Foo Bar", response);
} }
} }