Eclipse
/
jetty.project
mirror of https://github.com/jetty/jetty.project.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #3552 from eclipse/jetty-9.3.x-issue-3549-windows-dir-listing 

Issue #3549 - Using FileName properly in Directory Listings.
This commit is contained in:
Joakim Erdfelt 2019-04-16 04:42:57 -07:00 committed by GitHub
parent 608e4f5a98 7b774d82e8
commit 1565b5f160
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 230 additions and 40 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

129
jetty-servlet/src/test/java/org/eclipse/jetty/servlet/DefaultServletTest.java
View File

@ -21,6 +21,8 @@ package org.eclipse.jetty.servlet;
import java.io.File;
import java.io.FileOutputStream;
import java.io.IOException;
import java.net.URL;
import java.net.URLClassLoader;
import java.nio.ByteBuffer;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
@ -61,6 +63,7 @@ import static org.hamcrest.CoreMatchers.anyOf;
import static org.hamcrest.CoreMatchers.containsString;
import static org.hamcrest.CoreMatchers.is;
import static org.hamcrest.CoreMatchers.not;
import static org.junit.Assert.assertNotNull;
import static org.junit.Assert.assertThat;
import static org.junit.Assert.assertTrue;
@ -69,6 +72,9 @@ public class DefaultServletTest
@Rule
public TestingDir testdir = new TestingDir();
// The name of the odd-jar used for testing "jar:file://" based resource access.
private static final String ODD_JAR = "jar-resource-odd.jar";
private Server server;
private LocalConnector connector;
private ServletContextHandler context;
@ -81,9 +87,16 @@ public class DefaultServletTest
connector = new LocalConnector(server);
connector.getConnectionFactory(HttpConfiguration.ConnectionFactory.class).getHttpConfiguration().setSendServerVersion(false);
File extraJarResources = MavenTestingUtils.getTestResourceFile(ODD_JAR);
URL urls[] = new URL[] { extraJarResources.toURI().toURL() };
ClassLoader parentClassLoader = Thread.currentThread().getContextClassLoader();
URLClassLoader extraClassLoader = new URLClassLoader(urls, parentClassLoader);
context = new ServletContextHandler();
context.setContextPath("/context");
context.setWelcomeFiles(new String[]{"index.html", "index.jsp", "index.htm"});
context.setClassLoader(extraClassLoader);
server.setHandler(context);
server.addConnector(connector);
@ -181,6 +194,122 @@ public class DefaultServletTest
assertResponseNotContains("\"onmouseover", response);
}
/**
* A regression on windows allowed the directory listing show
* the fully qualified paths within the directory listing.
* This test ensures that this behavior will not arise again.
*/
@Test
public void testListingFilenamesOnly() throws Exception
{
ServletHolder defholder = context.addServlet(DefaultServlet.class, "/*");
defholder.setInitParameter("dirAllowed", "true");
defholder.setInitParameter("redirectWelcome", "false");
defholder.setInitParameter("gzip", "false");
testdir.ensureEmpty();
/* create some content in the docroot */
File resBase = testdir.getPathFile("docroot").toFile();
FS.ensureDirExists(resBase);
File one = new File(resBase, "one");
assertTrue(one.mkdir());
File deep = new File(one, "deep");
assertTrue(deep.mkdir());
FS.touch(new File(deep, "foo"));
assertTrue(new File(resBase, "two").mkdir());
assertTrue(new File(resBase, "three").mkdir());
String resBasePath = resBase.getAbsolutePath();
defholder.setInitParameter("resourceBase", resBasePath);
StringBuffer req1 = new StringBuffer();
req1.append("GET /context/one/deep/ HTTP/1.0\n");
req1.append("\n");
String response = connector.getResponses(req1.toString());
assertResponseContains("/foo", response);
assertResponseNotContains(resBase.getAbsolutePath(), response);
}
/**
* A regression on windows allowed the directory listing show
* the fully qualified paths within the directory listing.
* This test ensures that this behavior will not arise again.
*/
@Test
public void testListingFilenamesOnly_UrlResource() throws Exception
{
URL extraResource = context.getClassLoader().getResource("rez/one");
assertNotNull("Must have extra jar resource in classloader", extraResource);
String extraResourceBaseString = extraResource.toURI().toASCIIString();
extraResourceBaseString = extraResourceBaseString.substring(0, extraResourceBaseString.length() - "/one".length());
ServletHolder defholder = context.addServlet(DefaultServlet.class, "/extra/*");
defholder.setInitParameter("resourceBase", extraResourceBaseString);
defholder.setInitParameter("pathInfoOnly", "true");
defholder.setInitParameter("dirAllowed", "true");
defholder.setInitParameter("redirectWelcome", "false");
defholder.setInitParameter("gzip", "false");
StringBuffer req1;
String response;
// Test that GET works first.
req1 = new StringBuffer();
req1.append("GET /context/extra/one HTTP/1.0\n");
req1.append("\n");
response = connector.getResponses(req1.toString());
assertResponseContains("200 OK", response);
assertResponseContains("is this the one?", response);
// Typical directory listing of location in jar:file:// URL
req1 = new StringBuffer();
req1.append("GET /context/extra/deep/ HTTP/1.0\r\n");
req1.append("\r\n");
response = connector.getResponses(req1.toString());
assertResponseContains("200 OK", response);
assertResponseContains("/xxx", response);
assertResponseContains("/yyy", response);
assertResponseContains("/zzz", response);
assertResponseNotContains(extraResourceBaseString, response);
assertResponseNotContains(ODD_JAR, response);
// Get deep resource
req1 = new StringBuffer();
req1.append("GET /context/extra/deep/yyy HTTP/1.0\r\n");
req1.append("\r\n");
response = connector.getResponses(req1.toString());
assertResponseContains("200 OK", response);
assertResponseContains("a file named yyy", response);
// Convoluted directory listing of location in jar:file:// URL
// This exists to test proper encoding output
req1 = new StringBuffer();
req1.append("GET /context/extra/oddities/ HTTP/1.0\r\n");
req1.append("\r\n");
response = connector.getResponses(req1.toString());
assertResponseContains("200 OK", response);
assertResponseContains(">#hashcode&nbsp;<", response); // text on page
assertResponseContains("/oddities/%23hashcode", response); // generated link
assertResponseContains(">other%2fkind%2Fof%2fslash&nbsp;<", response); // text on page
assertResponseContains("/oddities/other%252fkind%252Fof%252fslash", response); // generated link
assertResponseContains(">a file with a space&nbsp;<", response); // text on page
assertResponseContains("/oddities/a%20file%20with%20a%20space", response); // generated link
assertResponseNotContains(extraResourceBaseString, response);
assertResponseNotContains(ODD_JAR, response);
}
@Test
public void testListingProperUrlEncoding() throws Exception
{

BIN
jetty-servlet/src/test/resources/jar-resource-odd.jar Normal file
View File

Binary file not shown.

75
jetty-util/src/main/java/org/eclipse/jetty/util/resource/Resource.java
View File

@ -45,6 +45,8 @@ import org.eclipse.jetty.util.UrlEncoded;
import org.eclipse.jetty.util.log.Log;
import org.eclipse.jetty.util.log.Logger;
import static java.nio.charset.StandardCharsets.UTF_8;
/* ------------------------------------------------------------ */
/**
@ -541,7 +543,9 @@ public abstract class Resource implements ResourceFactory, Closeable
* @param parent True if the parent directory should be included
* @return String of HTML
* @throws IOException if unable to get the list of resources as HTML
* @deprecated use {@link #getListHTML(String, boolean, String)} instead
*/
@Deprecated
public String getListHTML(String base, boolean parent) throws IOException
{
return getListHTML(base, parent, null);
@ -730,12 +734,12 @@ public abstract class Resource implements ResourceFactory, Closeable
DateFormat.MEDIUM);
for (Resource item: items)
{
String name = item.getName();
int slashIdx = name.lastIndexOf('/');
if (slashIdx != -1)
String name = item.getFileName();
if (StringUtil.isBlank(name))
{
name = name.substring(slashIdx + 1);
continue; // skip
}
if (item.isDirectory() && !name.endsWith("/"))
{
name += URIUtil.SLASH;
@ -752,13 +756,21 @@ public abstract class Resource implements ResourceFactory, Closeable
// Last Modified
buf.append("<td class=\"lastmodified\">");
long lastModified = item.lastModified();
if (lastModified > 0)
{
buf.append(dfmt.format(new Date(item.lastModified())));
buf.append("</td>");
}
buf.append("&nbsp;</td>");
// Size
buf.append("<td class=\"size\">");
buf.append(String.format("%,d", item.length()));
buf.append(" bytes&nbsp;</td></tr>\n");
long length = item.length();
if (length >= 0)
{
buf.append(String.format("%,d bytes", item.length()));
}
buf.append("&nbsp;</td></tr>\n");
}
buf.append("</tbody>\n");
buf.append("</table>\n");
@ -767,6 +779,55 @@ public abstract class Resource implements ResourceFactory, Closeable
return buf.toString();
}
/**
* Get the raw (decoded if possible) Filename for this Resource.
* This is the last segment of the path.
* @return the raw / decoded filename for this resource
*/
private String getFileName()
{
try
{
// if a Resource supports File
File file = getFile();
if (file != null)
{
return file.getName();
}
}
catch (Throwable ignore)
{
}
// All others use raw getName
try
{
String rawName = getName(); // gets long name "/foo/bar/xxx"
int idx = rawName.lastIndexOf('/');
if (idx == rawName.length()-1)
{
// hit a tail slash, aka a name for a directory "/foo/bar/"
idx = rawName.lastIndexOf('/', idx-1);
}
String encodedFileName;
if (idx >= 0)
{
encodedFileName = rawName.substring(idx + 1);
}
else
{
encodedFileName = rawName; // entire name
}
return UrlEncoded.decodeString(encodedFileName, 0, encodedFileName.length(), UTF_8);
}
catch (Throwable ignore)
{
}
return null;
}
/**
* Encode any characters that could break the URI string in an HREF.
* Such as <a href="/path/to;<script>Window.alert("XSS"+'%20'+"here");</script>">Link</a>