diff --git a/example-jetty-embedded/src/main/java/org/eclipse/jetty/embedded/DumpServlet.java b/example-jetty-embedded/src/main/java/org/eclipse/jetty/embedded/DumpServlet.java index d71aa2da4c6..2b8aedb460e 100644 --- a/example-jetty-embedded/src/main/java/org/eclipse/jetty/embedded/DumpServlet.java +++ b/example-jetty-embedded/src/main/java/org/eclipse/jetty/embedded/DumpServlet.java @@ -43,6 +43,11 @@ public class DumpServlet extends HttpServlet response.getWriter().println("servletPath=" + request.getServletPath()); response.getWriter().println("pathInfo=" + request.getPathInfo()); response.getWriter().println("session=" + request.getSession(true).getId()); + + String r=request.getParameter("resource"); + if (r!=null) + response.getWriter().println("resource("+r+")=" + getServletContext().getResource(r)); + response.getWriter().println(""); } } \ No newline at end of file diff --git a/jetty-server/src/main/java/org/eclipse/jetty/server/handler/ContextHandler.java b/jetty-server/src/main/java/org/eclipse/jetty/server/handler/ContextHandler.java index 8a84167fe9b..b8652764411 100644 --- a/jetty-server/src/main/java/org/eclipse/jetty/server/handler/ContextHandler.java +++ b/jetty-server/src/main/java/org/eclipse/jetty/server/handler/ContextHandler.java @@ -1580,23 +1580,46 @@ public class ContextHandler extends ScopedHandler implements Attributes, Server. path = URIUtil.canonicalPath(path); Resource resource = _baseResource.addPath(path); + System.err.println(); + System.err.println("resource="+resource); + try + { + System.err.println("path="+path); + System.err.println("resource="+resource); + System.err.println("resource.getURI()="+resource.getURI()); + System.err.println("resource.getURL()="+resource.getURL()); + System.err.println("resource.getAlias()="+resource.getAlias()); + System.err.println("resource.getFile() ="+resource.getFile()); + System.err.println("resource.getFile().getCanonicalPath()="+resource.getFile().getCanonicalPath()); + System.err.println("resource.getFile().getAbsolutePath() ="+resource.getFile().getAbsolutePath()); + System.err.println("resource.exists() ="+resource.exists()); + } + catch(Exception e) + { + e.printStackTrace(); + } + // Is the resource aliased? if (!_aliases && resource.getAlias() != null) { if (LOG.isDebugEnabled()) LOG.debug("Aliased resource: " + resource + "~=" + resource.getAlias()); + System.err.println("ALIAS="+resource.getAlias()); // alias checks for (Iterator i=_aliasChecks.iterator();i.hasNext();) { AliasCheck check = i.next(); + System.err.println("check="+check); if (check.check(path,resource)) { + System.err.println("OK???"); if (LOG.isDebugEnabled()) LOG.debug("Aliased resource: " + resource + " approved by " + check); return resource; } } + System.err.println("NULL ALIAS"); return null; } @@ -2474,7 +2497,6 @@ public class ContextHandler extends ScopedHandler implements Attributes, Server. } } } - } @@ -2498,8 +2520,13 @@ public class ContextHandler extends ScopedHandler implements Attributes, Server. * Eg. a symbolic link from /foobar.html to /somewhere/wibble.html would be * approved because both the resource and alias end with ".html". */ + @Deprecated public static class ApproveSameSuffixAliases implements AliasCheck { + { + LOG.warn("ApproveSameSuffixAlias is not safe for production"); + } + public boolean check(String path, Resource resource) { int dot = path.lastIndexOf('.'); @@ -2516,8 +2543,13 @@ public class ContextHandler extends ScopedHandler implements Attributes, Server. * Eg. a symbolic link from /dirA/foobar.html to /dirB/foobar.html would be * approved because both the resource and alias end with "/foobar.html". */ + @Deprecated public static class ApprovePathPrefixAliases implements AliasCheck { + { + LOG.warn("ApprovePathPrefixAliases is not safe for production"); + } + public boolean check(String path, Resource resource) { int slash = path.lastIndexOf('/'); @@ -2527,6 +2559,7 @@ public class ContextHandler extends ScopedHandler implements Attributes, Server. return resource.toString().endsWith(suffix); } } + /* ------------------------------------------------------------ */ /** Approve Aliases of a non existent directory. * If a directory "/foobar/" does not exist, then the resource is @@ -2536,11 +2569,17 @@ public class ContextHandler extends ScopedHandler implements Attributes, Server. { public boolean check(String path, Resource resource) { - int slash = path.lastIndexOf('/'); - if (slash<0 || resource.exists()) + if (resource.exists()) return false; - String suffix=path.substring(slash); - return resource.getAlias().toString().endsWith(suffix); + + String a=resource.getAlias().toString(); + String r=resource.getURL().toString(); + + if (a.length()>r.length()) + return a.startsWith(r) && a.length()==r.length()+1 && a.endsWith("/"); + else + return r.startsWith(a) && r.length()==a.length()+1 && r.endsWith("/"); } } + } diff --git a/jetty-util/src/main/java/org/eclipse/jetty/util/resource/FileResource.java b/jetty-util/src/main/java/org/eclipse/jetty/util/resource/FileResource.java index add7e67b0c4..9e0faec884e 100644 --- a/jetty-util/src/main/java/org/eclipse/jetty/util/resource/FileResource.java +++ b/jetty-util/src/main/java/org/eclipse/jetty/util/resource/FileResource.java @@ -44,7 +44,6 @@ import org.eclipse.jetty.util.log.Logger; * This class can check for aliasing in the filesystem (eg case * insensitivity). By default this is turned on, or it can be controlled * by calling the static method @see FileResource#setCheckAliases(boolean) - * * */ public class FileResource extends URLResource @@ -167,15 +166,16 @@ public class FileResource extends URLResource r=(URLResource)Resource.newResource(url); } + // Check for encoding aliases + // The encoded path should be a suffix of the resource (give or take a directory / ) String encoded=URIUtil.encodePath(path); int expected=r.toString().length()-encoded.length(); int index = r._urlString.lastIndexOf(encoded, expected); - if (expected!=index && ((expected-1)!=index || path.endsWith("/") || !r.isDirectory())) { - if (!(r instanceof BadResource)) + if (r instanceof FileResource) { - ((FileResource)r)._alias=new URL(url); + ((FileResource)r)._alias=((FileResource)r)._file.getCanonicalFile().toURI().toURL(); ((FileResource)r)._aliasChecked=true; } } diff --git a/test-jetty-webapp/src/main/config/contexts/test.xml b/test-jetty-webapp/src/main/config/contexts/test.xml index 00372852e43..12d5b18913e 100644 --- a/test-jetty-webapp/src/main/config/contexts/test.xml +++ b/test-jetty-webapp/src/main/config/contexts/test.xml @@ -28,19 +28,6 @@ detected. false /etc/webdefault.xml /contexts/test.d/override-web.xml - - - - - - - - - - - - -