From d8e6331434fbb6025301f06f03230c6f6cad7676 Mon Sep 17 00:00:00 2001
From: Greg Wilkins <gregw@intalio.com>
Date: Wed, 27 Aug 2014 17:33:27 +1000
Subject: [PATCH] 442477 Allow Symlink aliases by default

---
 .../jetty/server/handler/ContextHandler.java  | 71 +++++--------------
 .../ContextHandlerGetResourceTest.java        |  2 +
 .../jetty/servlet/DefaultServletTest.java     |  5 +-
 3 files changed, 23 insertions(+), 55 deletions(-)

diff --git a/jetty-server/src/main/java/org/eclipse/jetty/server/handler/ContextHandler.java b/jetty-server/src/main/java/org/eclipse/jetty/server/handler/ContextHandler.java
index 9dc9794fa40..ccb2fce0467 100644
--- a/jetty-server/src/main/java/org/eclipse/jetty/server/handler/ContextHandler.java
+++ b/jetty-server/src/main/java/org/eclipse/jetty/server/handler/ContextHandler.java
@@ -99,7 +99,9 @@ import org.eclipse.jetty.util.resource.Resource;
  * and org.eclipse.jetty.server.Request.maxFormContentSize.  These can also be configured with {@link #setMaxFormContentSize(int)} and {@link #setMaxFormKeys(int)}
  * <p>
  * This servers executore is made available via a context attributed "org.eclipse.jetty.server.Executor".
- *
+ * <p>
+ * By default, the context is created with alias checkers for {@link AllowSymLinkAliasChecker} (unix only) and {@link ApproveNonExistentDirectoryAliases}. 
+ * If these alias checkers are not required, then {@link #clearAliasChecks()} or {@link #setAliasChecks(List)} should be called.
  * @org.apache.xbean.XBean description="Creates a basic HTTP context"
  */
 @ManagedObject("URI Context")
@@ -193,11 +195,7 @@ public class ContextHandler extends ScopedHandler implements Attributes, Gracefu
      */
     public ContextHandler()
     {
-        super();
-        _scontext = new Context();
-        _attributes = new AttributesMap();
-        _initParams = new HashMap<String, String>();
-        addAliasCheck(new ApproveNonExistentDirectoryAliases());
+        this((Context)null);
     }
 
     /* ------------------------------------------------------------ */
@@ -207,10 +205,12 @@ public class ContextHandler extends ScopedHandler implements Attributes, Gracefu
     protected ContextHandler(Context context)
     {
         super();
-        _scontext = context;
+        _scontext = context==null?new Context():context;
         _attributes = new AttributesMap();
         _initParams = new HashMap<String, String>();
         addAliasCheck(new ApproveNonExistentDirectoryAliases());
+        if (File.separatorChar=='/')
+            addAliasCheck(new AllowSymLinkAliasChecker());
     }
 
     /* ------------------------------------------------------------ */
@@ -1794,6 +1794,16 @@ public class ContextHandler extends ScopedHandler implements Attributes, Gracefu
         _aliasChecks.clear();
         _aliasChecks.addAll(checks);
     }
+    
+    /* ------------------------------------------------------------ */
+    /**
+     * clear the list of AliasChecks
+     */
+    public void clearAliasChecks()
+    {
+        _aliasChecks.clear();
+    }
+
 
     /* ------------------------------------------------------------ */
     /**
@@ -2746,53 +2756,6 @@ public class ContextHandler extends ScopedHandler implements Attributes, Gracefu
             return true;
         }
     }
-
-    /* ------------------------------------------------------------ */
-    /** Approve Aliases with same suffix.
-     * Eg. a symbolic link from /foobar.html to /somewhere/wibble.html would be
-     * approved because both the resource and alias end with ".html".
-     */
-    @Deprecated
-    public static class ApproveSameSuffixAliases implements AliasCheck
-    {
-        {
-            LOG.warn("ApproveSameSuffixAlias is not safe for production");
-        }
-        
-        @Override
-        public boolean check(String path, Resource resource)
-        {
-            int dot = path.lastIndexOf('.');
-            if (dot<0)
-                return false;
-            String suffix=path.substring(dot);
-            return resource.toString().endsWith(suffix);
-        }
-    }
-
-
-    /* ------------------------------------------------------------ */
-    /** Approve Aliases with a path prefix.
-     * Eg. a symbolic link from /dirA/foobar.html to /dirB/foobar.html would be
-     * approved because both the resource and alias end with "/foobar.html".
-     */
-    @Deprecated
-    public static class ApprovePathPrefixAliases implements AliasCheck
-    {
-        {
-            LOG.warn("ApprovePathPrefixAliases is not safe for production");
-        }
-        
-        @Override
-        public boolean check(String path, Resource resource)
-        {
-            int slash = path.lastIndexOf('/');
-            if (slash<0 || slash==path.length()-1)
-                return false;
-            String suffix=path.substring(slash);
-            return resource.toString().endsWith(suffix);
-        }
-    }
     
     /* ------------------------------------------------------------ */
     /** Approve Aliases of a non existent directory.
diff --git a/jetty-server/src/test/java/org/eclipse/jetty/server/handler/ContextHandlerGetResourceTest.java b/jetty-server/src/test/java/org/eclipse/jetty/server/handler/ContextHandlerGetResourceTest.java
index aace3e77797..9bd1db2dc9f 100644
--- a/jetty-server/src/test/java/org/eclipse/jetty/server/handler/ContextHandlerGetResourceTest.java
+++ b/jetty-server/src/test/java/org/eclipse/jetty/server/handler/ContextHandlerGetResourceTest.java
@@ -86,6 +86,8 @@ public class ContextHandlerGetResourceTest
         
         server = new Server();
         context =new ContextHandler("/");
+        context.clearAliasChecks();
+        context.addAliasCheck(new ContextHandler.ApproveNonExistentDirectoryAliases());
         context.setBaseResource(Resource.newResource(docroot));
         context.addAliasCheck(new ContextHandler.AliasCheck()
         {
diff --git a/jetty-servlet/src/test/java/org/eclipse/jetty/servlet/DefaultServletTest.java b/jetty-servlet/src/test/java/org/eclipse/jetty/servlet/DefaultServletTest.java
index 8cc231a3913..9f6eb9745dc 100644
--- a/jetty-servlet/src/test/java/org/eclipse/jetty/servlet/DefaultServletTest.java
+++ b/jetty-servlet/src/test/java/org/eclipse/jetty/servlet/DefaultServletTest.java
@@ -41,6 +41,7 @@ import org.eclipse.jetty.http.DateGenerator;
 import org.eclipse.jetty.server.HttpConfiguration;
 import org.eclipse.jetty.server.LocalConnector;
 import org.eclipse.jetty.server.Server;
+import org.eclipse.jetty.server.handler.AllowSymLinkAliasChecker;
 import org.eclipse.jetty.server.handler.ContextHandler;
 import org.eclipse.jetty.toolchain.test.FS;
 import org.eclipse.jetty.toolchain.test.MavenTestingUtils;
@@ -431,11 +432,13 @@ public class DefaultServletTest
 
         if (!OS.IS_WINDOWS)
         {
+            context.clearAliasChecks();
+            
             Files.createSymbolicLink(link.toPath(),foobar.toPath());
             response = connector.getResponses("GET /context/link.txt HTTP/1.0\r\n\r\n");
             assertResponseContains("404", response);
             
-            context.addAliasCheck(new ContextHandler.ApproveAliases());
+            context.addAliasCheck(new AllowSymLinkAliasChecker());
             
             response = connector.getResponses("GET /context/link.txt HTTP/1.0\r\n\r\n");
             assertResponseContains("Foo Bar", response);