From 4794b6bf53db9b57b74fdb6e200b260ee20373b3 Mon Sep 17 00:00:00 2001
From: Henri Sara <henri.sara@itmill.com>
Date: Fri, 30 Sep 2011 12:10:45 +0000
Subject: [PATCH] Merged changes from 6.6 (#7692)

svn changeset:21470/svn branch:6.7
---
 WebContent/WEB-INF/web.xml                    |  5 +++++
 build/build.xml                               | 12 +++++-----
 .../server/AbstractApplicationServlet.java    | 22 ++++++++++++++++---
 3 files changed, 30 insertions(+), 9 deletions(-)

diff --git a/WebContent/WEB-INF/web.xml b/WebContent/WEB-INF/web.xml
index b5cd3fa1c8..b83979acc6 100644
--- a/WebContent/WEB-INF/web.xml
+++ b/WebContent/WEB-INF/web.xml
@@ -49,6 +49,11 @@
 		<url-pattern>/integration/*</url-pattern>
 	</servlet-mapping>
 
+	<servlet-mapping>
+		<servlet-name>IntegrationTest</servlet-name>
+		<url-pattern>/VAADIN/*</url-pattern>
+	</servlet-mapping>
+
 	<welcome-file-list>
 		<welcome-file>index.html</welcome-file>
 	</welcome-file-list>
diff --git a/build/build.xml b/build/build.xml
index 0a59d1f3b0..dd7635f0a5 100644
--- a/build/build.xml
+++ b/build/build.xml
@@ -195,12 +195,12 @@
         <war warfile="${result-path}/${test-war-filename}"> 
             <fileset dir="${output-dir}/WebContent">
                 <!-- Already in JAR -->
-                <exclude name="themes/base/**/*" />
-                <exclude name="themes/chameleon/**/*" />
-                <exclude name="themes/liferay/**/*" />
-                <exclude name="themes/runo/**/*" />
-                <exclude name="themes/reindeer/**/*" />
-                <exclude name="widgetsets/com.vaadin.terminal.gwt.DefaultWidgetSet/**/*" />
+                <exclude name="VAADIN/themes/base/**/*" />
+                <exclude name="VAADIN/themes/chameleon/**/*" />
+                <exclude name="VAADIN/themes/liferay/**/*" />
+                <exclude name="VAADIN/themes/reindeer/**/*" />
+                <exclude name="VAADIN/themes/runo/**/*" />
+                <exclude name="VAADIN/widgetsets/com.vaadin.terminal.gwt.DefaultWidgetSet/**/*" />
 
                 <!-- Not needed for testing -->
                 <exclude name="docs/**/*" />
diff --git a/src/com/vaadin/terminal/gwt/server/AbstractApplicationServlet.java b/src/com/vaadin/terminal/gwt/server/AbstractApplicationServlet.java
index 08614ce0c8..ba6aef0ad1 100644
--- a/src/com/vaadin/terminal/gwt/server/AbstractApplicationServlet.java
+++ b/src/com/vaadin/terminal/gwt/server/AbstractApplicationServlet.java
@@ -1367,15 +1367,31 @@ public abstract class AbstractApplicationServlet extends HttpServlet implements
             // loader sees it.
 
             if (!resourceUrl.getPath().contains("!/VAADIN/")) {
-                logger.warning("Attempted access to a JAR entry not starting with /VAADIN/: "
+                logger.info("Blocked attempt to access a JAR entry not starting with /VAADIN/: "
                         + resourceUrl);
                 return false;
             }
+            logger.fine("Accepted access to a JAR entry using a class loader: "
+                    + resourceUrl);
+            return true;
+        } else if ("file".equals(resourceUrl.getProtocol())) {
+            // Some servers such as GlassFish extract files from JARs. In such
+            // cases, the class loader sees them as file URLs.
+
+            // Check that the URL is in a VAADIN directory and does not contain
+            // "/../"
+            if (!resourceUrl.getPath().contains("/VAADIN/")
+                    || resourceUrl.getPath().contains("/../")) {
+                logger.info("Blocked attempt to access file: " + resourceUrl);
+                return false;
+            }
+            logger.fine("Accepted access to a file using a class loader: "
+                    + resourceUrl);
             return true;
         }
 
-        // when using the class loader fall-back, other protocols than jar: are
-        // not supported
+        // when using the class loader fall-back, other protocols than jar: and
+        // file: are not supported
         return false;
     }
 
-- 
2.39.5