Add support for excess slashes within static file request path. (#11827) (#11829)8.9.3

author: Anna Koskinen <Ansku@users.noreply.github.com> 2019-11-22 10:56:54 +0200
committer: Tatu Lund <tatu@vaadin.com> 2019-11-22 10:56:54 +0200
commit: dc4ce2ef4905ab0a4576411af0adb562940841a1 (patch)
tree: 879d70d882d4e3c5777ad03e4a7252c7a401ef5d
parent: bdc61a37626b76c259c32f32b6c17402b151b920 (diff)
download: vaadin-framework-dc4ce2ef4905ab0a4576411af0adb562940841a1.tar.gz
vaadin-framework-dc4ce2ef4905ab0a4576411af0adb562940841a1.zip
2 files changed, 40 insertions, 7 deletions
diff --git a/server/src/main/java/com/vaadin/server/VaadinServlet.java b/server/src/main/java/com/vaadin/server/VaadinServlet.java
index e7e57a1278..794cfdd1d6 100644
--- a/server/src/main/java/com/vaadin/server/VaadinServlet.java
+++ b/server/src/main/java/com/vaadin/server/VaadinServlet.java
@@ -48,6 +48,7 @@ import java.util.Map;
 import java.util.Properties;
 import java.util.logging.Level;
 import java.util.logging.Logger;
+import java.util.regex.Pattern;
 
 import javax.servlet.ServletConfig;
 import javax.servlet.ServletContext;
@@ -761,6 +762,13 @@ public class VaadinServlet extends HttpServlet implements Constants {
     private static boolean scssCompileWarWarningEmitted = false;
 
     /**
+     * Pattern for matching request paths that start with /VAADIN/, multiple
+     * slashes allowed on either side.
+     */
+    private static Pattern staticFileRequestPathPatternVaadin = Pattern
+            .compile("^/+VAADIN/.*");
+
+    /**
      * Returns the default theme. Must never return null.
      *
      * @return
@@ -1356,26 +1364,37 @@ public class VaadinServlet extends HttpServlet implements Constants {
         String decodedPath = null;
         String contextPath = null;
         try {
-            // pathInfo should be already decoded, but some containers do not decode it,
-            // hence we use getRequestURI instead.
-            decodedPath = URLDecoder.decode(request.getRequestURI(), StandardCharsets.UTF_8.name());
-            contextPath = URLDecoder.decode(request.getContextPath(), StandardCharsets.UTF_8.name());
+            // pathInfo should be already decoded, but some containers do not
+            // decode it, hence we use getRequestURI instead.
+            decodedPath = URLDecoder.decode(request.getRequestURI(),
+                    StandardCharsets.UTF_8.name());
+            contextPath = URLDecoder.decode(request.getContextPath(),
+                    StandardCharsets.UTF_8.name());
         } catch (UnsupportedEncodingException e) {
-            throw new RuntimeException("An error occurred during decoding URL.",e);
+            throw new RuntimeException("An error occurred during decoding URL.",
+                    e);
         }
         // Possible context path needs to be removed
         String filePath = decodedPath.substring(contextPath.length());
         String servletPath = request.getServletPath();
         // Possible servlet path needs to be removed
-        if (!servletPath.isEmpty() && !servletPath.equals("/VAADIN") 
+        if (!servletPath.isEmpty() && !servletPath.equals("/VAADIN")
                 && filePath.startsWith(servletPath)) {
             filePath = filePath.substring(servletPath.length());
         }
         // Servlet mapped as /* serves at /VAADIN
         // Servlet mapped as /foo/bar/* serves at /foo/bar/VAADIN
-        if (filePath.startsWith("/VAADIN/")) {
+
+        // Matches request paths /VAADIN/*, //VAADIN/* etc.
+        if (staticFileRequestPathPatternVaadin.matcher(filePath).matches()) {
+            // Remove any extra slashes from the beginning,
+            // later occurrences don't interfere
+            while (filePath.startsWith("//")) {
+                filePath = filePath.substring(1);
+            }
             return filePath;
         }
+
         String servletPrefixedPath = servletPath + filePath;
         // Servlet mapped as /VAADIN/*
         if (servletPrefixedPath.startsWith("/VAADIN/")) {
diff --git a/test/spring-boot-subcontext/src/test/java/com/example/VaadinSpringBootSmokeIT.java b/test/spring-boot-subcontext/src/test/java/com/example/VaadinSpringBootSmokeIT.java
index f6f3db6243..bbd0bc628f 100644
--- a/test/spring-boot-subcontext/src/test/java/com/example/VaadinSpringBootSmokeIT.java
+++ b/test/spring-boot-subcontext/src/test/java/com/example/VaadinSpringBootSmokeIT.java
@@ -40,12 +40,26 @@ public class VaadinSpringBootSmokeIT extends TestBenchTestCase {
     @Test
     public void testPageLoadsAndButtonWorks() {
         getDriver().navigate()
+                .to("http://localhost:" + port + DemoApplication.CONTEXT);
+        runSmokeTest();
+    }
+
+    @Test
+    public void testPageLoadsAndButtonWorksWithExtraSlash() {
+        getDriver().navigate()
                 .to("http://localhost:" + port + "/" + DemoApplication.CONTEXT);
         runSmokeTest();
     }
 
     @Test
     public void testSubPathPageLoadsAndButtonWorks() {
+        getDriver().navigate().to("http://localhost:" + port
+                + DemoApplication.CONTEXT + "/" + SubPathUI.SUBPATH);
+        runSmokeTest();
+    }
+
+    @Test
+    public void testSubPathPageLoadsAndButtonWorksWithExtraSlash() {
         getDriver().navigate().to("http://localhost:" + port + "/"
                 + DemoApplication.CONTEXT + "/" + SubPathUI.SUBPATH);
         runSmokeTest();
author	Anna Koskinen <Ansku@users.noreply.github.com>	2019-11-22 10:56:54 +0200
committer	Tatu Lund <tatu@vaadin.com>	2019-11-22 10:56:54 +0200
commit	dc4ce2ef4905ab0a4576411af0adb562940841a1 (patch)
tree	879d70d882d4e3c5777ad03e4a7252c7a401ef5d
parent	bdc61a37626b76c259c32f32b6c17402b151b920 (diff)
download	vaadin-framework-dc4ce2ef4905ab0a4576411af0adb562940841a1.tar.gz vaadin-framework-dc4ce2ef4905ab0a4576411af0adb562940841a1.zip