diff options
author | Greg Wilkins | 2015-11-18 00:13:35 +0000 |
---|---|---|
committer | Greg Wilkins | 2015-11-18 00:13:35 +0000 |
commit | 12ec44894b59e63be299b0aa79678a4b4cb0c4d0 (patch) | |
tree | 51a1a956a673f62f8b9e1159f2d6f6fbf6149f92 | |
parent | 4bb63b9e03047f3f1991152b814aadfbaeba0411 (diff) | |
download | org.eclipse.jetty.project-12ec44894b59e63be299b0aa79678a4b4cb0c4d0.tar.gz org.eclipse.jetty.project-12ec44894b59e63be299b0aa79678a4b4cb0c4d0.tar.xz org.eclipse.jetty.project-12ec44894b59e63be299b0aa79678a4b4cb0c4d0.zip |
482272 Fixed relative symlink checking
-rw-r--r-- | jetty-server/src/main/java/org/eclipse/jetty/server/handler/AllowSymLinkAliasChecker.java | 9 | ||||
-rw-r--r-- | jetty-servlet/src/test/java/org/eclipse/jetty/servlet/DefaultServletTest.java | 41 |
2 files changed, 40 insertions, 10 deletions
diff --git a/jetty-server/src/main/java/org/eclipse/jetty/server/handler/AllowSymLinkAliasChecker.java b/jetty-server/src/main/java/org/eclipse/jetty/server/handler/AllowSymLinkAliasChecker.java index 3f5b16b6a0..8f9d14c143 100644 --- a/jetty-server/src/main/java/org/eclipse/jetty/server/handler/AllowSymLinkAliasChecker.java +++ b/jetty-server/src/main/java/org/eclipse/jetty/server/handler/AllowSymLinkAliasChecker.java @@ -69,7 +69,7 @@ public class AllowSymLinkAliasChecker implements AliasCheck return true; } } - + // No, so let's check each element ourselves boolean linked=true; Path target=path; @@ -86,13 +86,14 @@ public class AllowSymLinkAliasChecker implements AliasCheck Path d = target.getRoot(); for (Path e:target) { - d=d.resolve(e); + Path r=d.resolve(e); + d=r; while (Files.exists(d) && Files.isSymbolicLink(d)) { - Path link=Files.readSymbolicLink(d); + Path link=Files.readSymbolicLink(d); if (!link.isAbsolute()) - link=d.resolve(link); + link=d.getParent().resolve(link); d=link; linked=true; } diff --git a/jetty-servlet/src/test/java/org/eclipse/jetty/servlet/DefaultServletTest.java b/jetty-servlet/src/test/java/org/eclipse/jetty/servlet/DefaultServletTest.java index 174c85f87d..0f740d9da9 100644 --- a/jetty-servlet/src/test/java/org/eclipse/jetty/servlet/DefaultServletTest.java +++ b/jetty-servlet/src/test/java/org/eclipse/jetty/servlet/DefaultServletTest.java @@ -25,6 +25,7 @@ import java.io.FileOutputStream; import java.io.IOException; import java.nio.charset.StandardCharsets; import java.nio.file.Files; +import java.nio.file.Path; import java.util.EnumSet; import java.util.regex.Matcher; import java.util.regex.Pattern; @@ -409,13 +410,18 @@ public class DefaultServletTest } @Test - public void testResourceBase() throws Exception + public void testSymLinks() throws Exception { testdir.ensureEmpty(); File resBase = testdir.getPathFile("docroot").toFile(); FS.ensureDirExists(resBase); - File foobar = new File(resBase, "foobar.txt"); - File link = new File(resBase, "link.txt"); + File dir = new File(resBase,"dir"); + File dirLink = new File(resBase,"dirlink"); + File dirRLink = new File(resBase,"dirrlink"); + FS.ensureDirExists(dir); + File foobar = new File(dir, "foobar.txt"); + File link = new File(dir, "link.txt"); + File rLink = new File(dir,"rlink.txt"); createFile(foobar, "Foo Bar"); String resBasePath = resBase.getAbsolutePath(); @@ -426,20 +432,43 @@ public class DefaultServletTest String response; - response = connector.getResponses("GET /context/foobar.txt HTTP/1.0\r\n\r\n"); + response = connector.getResponses("GET /context/dir/foobar.txt HTTP/1.0\r\n\r\n"); assertResponseContains("Foo Bar", response); if (!OS.IS_WINDOWS) { context.clearAliasChecks(); + Files.createSymbolicLink(dirLink.toPath(),dir.toPath()); + Files.createSymbolicLink(dirRLink.toPath(),new File("dir").toPath()); Files.createSymbolicLink(link.toPath(),foobar.toPath()); - response = connector.getResponses("GET /context/link.txt HTTP/1.0\r\n\r\n"); + Files.createSymbolicLink(rLink.toPath(),new File("foobar.txt").toPath()); + response = connector.getResponses("GET /context/dir/link.txt HTTP/1.0\r\n\r\n"); + assertResponseContains("404", response); + response = connector.getResponses("GET /context/dir/rlink.txt HTTP/1.0\r\n\r\n"); + assertResponseContains("404", response); + response = connector.getResponses("GET /context/dirlink/foobar.txt HTTP/1.0\r\n\r\n"); + assertResponseContains("404", response); + response = connector.getResponses("GET /context/dirrlink/foobar.txt HTTP/1.0\r\n\r\n"); + assertResponseContains("404", response); + response = connector.getResponses("GET /context/dirlink/link.txt HTTP/1.0\r\n\r\n"); + assertResponseContains("404", response); + response = connector.getResponses("GET /context/dirrlink/rlink.txt HTTP/1.0\r\n\r\n"); assertResponseContains("404", response); context.addAliasCheck(new AllowSymLinkAliasChecker()); - response = connector.getResponses("GET /context/link.txt HTTP/1.0\r\n\r\n"); + response = connector.getResponses("GET /context/dir/link.txt HTTP/1.0\r\n\r\n"); + assertResponseContains("Foo Bar", response); + response = connector.getResponses("GET /context/dir/rlink.txt HTTP/1.0\r\n\r\n"); + assertResponseContains("Foo Bar", response); + response = connector.getResponses("GET /context/dirlink/foobar.txt HTTP/1.0\r\n\r\n"); + assertResponseContains("Foo Bar", response); + response = connector.getResponses("GET /context/dirrlink/foobar.txt HTTP/1.0\r\n\r\n"); + assertResponseContains("Foo Bar", response); + response = connector.getResponses("GET /context/dirlink/link.txt HTTP/1.0\r\n\r\n"); + assertResponseContains("Foo Bar", response); + response = connector.getResponses("GET /context/dirrlink/link.txt HTTP/1.0\r\n\r\n"); assertResponseContains("Foo Bar", response); } } |