Explorar el Código
Serve VAADIN files also from META-INF/resources (#8286) (#8320)
* Serve VAADIN files also from META-INF/resources (#8286) Fixes #8206tags/8.0.0.beta2
Artur
hace 7 años
Se han modificado 1 ficheros con 5 adiciones y 4 borrados
+ 5
- 4
server/src/main/java/com/vaadin/server/VaadinServlet.java
Ver fichero
| @@ -1140,6 +1140,7 @@ public class VaadinServlet extends HttpServlet implements Constants { | |||
| @Deprecated | |||
| protected boolean isAllowedVAADINResourceUrl(HttpServletRequest request, | |||
| URL resourceUrl) { | |||
| String resourcePath = resourceUrl.getPath(); | |||
| if ("jar".equals(resourceUrl.getProtocol())) { | |||
| // This branch is used for accessing resources directly from the | |||
| // Vaadin JAR in development environments and in similar cases. | |||
| @@ -1149,8 +1150,8 @@ public class VaadinServlet extends HttpServlet implements Constants { | |||
| // However, performing a check in case some servers or class loaders | |||
| // try to normalize the path by collapsing ".." before the class | |||
| // loader sees it. | |||
| if (!resourceUrl.getPath().contains("!/VAADIN/")) { | |||
| if (!resourcePath.contains("!/VAADIN/") | |||
| && !resourcePath.contains("!/META-INF/resources/VAADIN/")) { | |||
| getLogger().log(Level.INFO, | |||
| "Blocked attempt to access a JAR entry not starting with /VAADIN/: {0}", | |||
| resourceUrl); | |||
| @@ -1166,8 +1167,8 @@ public class VaadinServlet extends HttpServlet implements Constants { | |||
| // Check that the URL is in a VAADIN directory and does not contain | |||
| // "/../" | |||
| if (!resourceUrl.getPath().contains("/VAADIN/") | |||
| || resourceUrl.getPath().contains("/../")) { | |||
| if (!resourcePath.contains("/VAADIN/") | |||
| || resourcePath.contains("/../")) { | |||
| getLogger().log(Level.INFO, | |||
| "Blocked attempt to access file: {0}", resourceUrl); | |||
| return false; | |||
Cargando…