diff options
| author | Greg Wilkins | 2013-08-23 06:49:42 +0000 |
|---|---|---|
| committer | Greg Wilkins | 2013-09-16 09:30:45 +0000 |
| commit | a731ec13c8dedb290c83b5ef94a2ebc1310a2ce8 (patch) | |
| tree | f61fe3a177d066999c979fe4d0bc9596953fd1cb | |
| parent | 624a0d7e455330836ed8b99c39a1686cd1210869 (diff) | |
| download | org.eclipse.jetty.project-a731ec13c8dedb290c83b5ef94a2ebc1310a2ce8.tar.gz org.eclipse.jetty.project-a731ec13c8dedb290c83b5ef94a2ebc1310a2ce8.tar.xz org.eclipse.jetty.project-a731ec13c8dedb290c83b5ef94a2ebc1310a2ce8.zip | |
413684 deprecated unsafe alias checkers
4 files changed, 53 insertions, 22 deletions
diff --git a/example-jetty-embedded/src/main/java/org/eclipse/jetty/embedded/DumpServlet.java b/example-jetty-embedded/src/main/java/org/eclipse/jetty/embedded/DumpServlet.java index d71aa2da4c..2b8aedb460 100644 --- a/example-jetty-embedded/src/main/java/org/eclipse/jetty/embedded/DumpServlet.java +++ b/example-jetty-embedded/src/main/java/org/eclipse/jetty/embedded/DumpServlet.java @@ -43,6 +43,11 @@ public class DumpServlet extends HttpServlet response.getWriter().println("servletPath=" + request.getServletPath()); response.getWriter().println("pathInfo=" + request.getPathInfo()); response.getWriter().println("session=" + request.getSession(true).getId()); + + String r=request.getParameter("resource"); + if (r!=null) + response.getWriter().println("resource("+r+")=" + getServletContext().getResource(r)); + response.getWriter().println("</pre>"); } }
\ No newline at end of file diff --git a/jetty-server/src/main/java/org/eclipse/jetty/server/handler/ContextHandler.java b/jetty-server/src/main/java/org/eclipse/jetty/server/handler/ContextHandler.java index c6c98f1e50..aba754f1d5 100644 --- a/jetty-server/src/main/java/org/eclipse/jetty/server/handler/ContextHandler.java +++ b/jetty-server/src/main/java/org/eclipse/jetty/server/handler/ContextHandler.java @@ -1537,23 +1537,46 @@ public class ContextHandler extends ScopedHandler implements Attributes, Server. path = URIUtil.canonicalPath(path); Resource resource = _baseResource.addPath(path); + System.err.println(); + System.err.println("resource="+resource); + try + { + System.err.println("path="+path); + System.err.println("resource="+resource); + System.err.println("resource.getURI()="+resource.getURI()); + System.err.println("resource.getURL()="+resource.getURL()); + System.err.println("resource.getAlias()="+resource.getAlias()); + System.err.println("resource.getFile() ="+resource.getFile()); + System.err.println("resource.getFile().getCanonicalPath()="+resource.getFile().getCanonicalPath()); + System.err.println("resource.getFile().getAbsolutePath() ="+resource.getFile().getAbsolutePath()); + System.err.println("resource.exists() ="+resource.exists()); + } + catch(Exception e) + { + e.printStackTrace(); + } + // Is the resource aliased? if (!_aliases && resource.getAlias() != null) { if (LOG.isDebugEnabled()) LOG.debug("Aliased resource: " + resource + "~=" + resource.getAlias()); + System.err.println("ALIAS="+resource.getAlias()); // alias checks for (Iterator<AliasCheck> i=_aliasChecks.iterator();i.hasNext();) { AliasCheck check = i.next(); + System.err.println("check="+check); if (check.check(path,resource)) { + System.err.println("OK???"); if (LOG.isDebugEnabled()) LOG.debug("Aliased resource: " + resource + " approved by " + check); return resource; } } + System.err.println("NULL ALIAS"); return null; } @@ -2159,7 +2182,6 @@ public class ContextHandler extends ScopedHandler implements Attributes, Server. } } } - } @@ -2183,8 +2205,13 @@ public class ContextHandler extends ScopedHandler implements Attributes, Server. * Eg. a symbolic link from /foobar.html to /somewhere/wibble.html would be * approved because both the resource and alias end with ".html". */ + @Deprecated public static class ApproveSameSuffixAliases implements AliasCheck { + { + LOG.warn("ApproveSameSuffixAlias is not safe for production"); + } + public boolean check(String path, Resource resource) { int dot = path.lastIndexOf('.'); @@ -2201,8 +2228,13 @@ public class ContextHandler extends ScopedHandler implements Attributes, Server. * Eg. a symbolic link from /dirA/foobar.html to /dirB/foobar.html would be * approved because both the resource and alias end with "/foobar.html". */ + @Deprecated public static class ApprovePathPrefixAliases implements AliasCheck { + { + LOG.warn("ApprovePathPrefixAliases is not safe for production"); + } + public boolean check(String path, Resource resource) { int slash = path.lastIndexOf('/'); @@ -2212,6 +2244,7 @@ public class ContextHandler extends ScopedHandler implements Attributes, Server. return resource.toString().endsWith(suffix); } } + /* ------------------------------------------------------------ */ /** Approve Aliases of a non existent directory. * If a directory "/foobar/" does not exist, then the resource is @@ -2221,11 +2254,17 @@ public class ContextHandler extends ScopedHandler implements Attributes, Server. { public boolean check(String path, Resource resource) { - int slash = path.lastIndexOf('/'); - if (slash<0 || resource.exists()) + if (resource.exists()) return false; - String suffix=path.substring(slash); - return resource.getAlias().toString().endsWith(suffix); + + String a=resource.getAlias().toString(); + String r=resource.getURL().toString(); + + if (a.length()>r.length()) + return a.startsWith(r) && a.length()==r.length()+1 && a.endsWith("/"); + else + return r.startsWith(a) && r.length()==a.length()+1 && r.endsWith("/"); } } + } diff --git a/jetty-util/src/main/java/org/eclipse/jetty/util/resource/FileResource.java b/jetty-util/src/main/java/org/eclipse/jetty/util/resource/FileResource.java index add7e67b0c..9e0faec884 100644 --- a/jetty-util/src/main/java/org/eclipse/jetty/util/resource/FileResource.java +++ b/jetty-util/src/main/java/org/eclipse/jetty/util/resource/FileResource.java @@ -44,7 +44,6 @@ import org.eclipse.jetty.util.log.Logger; * This class can check for aliasing in the filesystem (eg case * insensitivity). By default this is turned on, or it can be controlled * by calling the static method @see FileResource#setCheckAliases(boolean) - * * */ public class FileResource extends URLResource @@ -167,15 +166,16 @@ public class FileResource extends URLResource r=(URLResource)Resource.newResource(url); } + // Check for encoding aliases + // The encoded path should be a suffix of the resource (give or take a directory / ) String encoded=URIUtil.encodePath(path); int expected=r.toString().length()-encoded.length(); int index = r._urlString.lastIndexOf(encoded, expected); - if (expected!=index && ((expected-1)!=index || path.endsWith("/") || !r.isDirectory())) { - if (!(r instanceof BadResource)) + if (r instanceof FileResource) { - ((FileResource)r)._alias=new URL(url); + ((FileResource)r)._alias=((FileResource)r)._file.getCanonicalFile().toURI().toURL(); ((FileResource)r)._aliasChecked=true; } } diff --git a/test-jetty-webapp/src/main/config/contexts/test.xml b/test-jetty-webapp/src/main/config/contexts/test.xml index 00372852e4..12d5b18913 100644 --- a/test-jetty-webapp/src/main/config/contexts/test.xml +++ b/test-jetty-webapp/src/main/config/contexts/test.xml @@ -28,19 +28,6 @@ detected. <Set name="copyWebDir">false</Set> <Set name="defaultsDescriptor"><SystemProperty name="jetty.home" default="."/>/etc/webdefault.xml</Set> <Set name="overrideDescriptor"><SystemProperty name="jetty.home" default="."/>/contexts/test.d/override-web.xml</Set> - - <!-- Allow directory symbolic links --> - <Call name="addAliasCheck"> - <Arg> - <New class="org.eclipse.jetty.server.handler.ContextHandler$ApprovePathPrefixAliases"/> - </Arg> - </Call> - <!-- Allow file symbolic links --> - <Call name="addAliasCheck"> - <Arg> - <New class="org.eclipse.jetty.server.handler.ContextHandler$ApproveSameSuffixAliases"/> - </Arg> - </Call> <!-- virtual hosts <Set name="virtualHosts"> |