summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorArtur <artur@vaadin.com>2017-01-22 14:00:59 +0200
committerGitHub <noreply@github.com>2017-01-22 14:00:59 +0200
commite9a97953f122b2c82b4708029ae5d37c76b981a9 (patch)
tree60be147bd20fb55ec6e15a09d7c4e64363d4bfc6
parent1d01e7ff58577e98c6eed91a8a317696b56cb5dd (diff)
downloadvaadin-framework-e9a97953f122b2c82b4708029ae5d37c76b981a9.tar.gz
vaadin-framework-e9a97953f122b2c82b4708029ae5d37c76b981a9.zip
Serve VAADIN files also from META-INF/resources (#8286)
Fixes #8206
-rw-r--r--server/src/main/java/com/vaadin/server/VaadinServlet.java9
1 files changed, 5 insertions, 4 deletions
diff --git a/server/src/main/java/com/vaadin/server/VaadinServlet.java b/server/src/main/java/com/vaadin/server/VaadinServlet.java
index 8409507846..3dfb5ba33c 100644
--- a/server/src/main/java/com/vaadin/server/VaadinServlet.java
+++ b/server/src/main/java/com/vaadin/server/VaadinServlet.java
@@ -1156,6 +1156,7 @@ public class VaadinServlet extends HttpServlet implements Constants {
@Deprecated
protected boolean isAllowedVAADINResourceUrl(HttpServletRequest request,
URL resourceUrl) {
+ String resourcePath = resourceUrl.getPath();
if ("jar".equals(resourceUrl.getProtocol())) {
// This branch is used for accessing resources directly from the
// Vaadin JAR in development environments and in similar cases.
@@ -1165,8 +1166,8 @@ public class VaadinServlet extends HttpServlet implements Constants {
// However, performing a check in case some servers or class loaders
// try to normalize the path by collapsing ".." before the class
// loader sees it.
-
- if (!resourceUrl.getPath().contains("!/VAADIN/")) {
+ if (!resourcePath.contains("!/VAADIN/")
+ && !resourcePath.contains("!/META-INF/resources/VAADIN/")) {
getLogger().log(Level.INFO,
"Blocked attempt to access a JAR entry not starting with /VAADIN/: {0}",
resourceUrl);
@@ -1182,8 +1183,8 @@ public class VaadinServlet extends HttpServlet implements Constants {
// Check that the URL is in a VAADIN directory and does not contain
// "/../"
- if (!resourceUrl.getPath().contains("/VAADIN/")
- || resourceUrl.getPath().contains("/../")) {
+ if (!resourcePath.contains("/VAADIN/")
+ || resourcePath.contains("/../")) {
getLogger().log(Level.INFO,
"Blocked attempt to access file: {0}", resourceUrl);
return false;