aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorArtur <artur@vaadin.com>2017-01-25 09:09:02 +0200
committerDenis <denis@vaadin.com>2017-01-25 09:09:02 +0200
commitb5cc119d1b120695b5e04b596372f2fb982a32d7 (patch)
treef29f99e61aaf170fa2ab6a31c6a08bf3b26098f5
parent8300e3e9f079e901765bbae74b15d8f0c05c4160 (diff)
downloadvaadin-framework-b5cc119d1b120695b5e04b596372f2fb982a32d7.tar.gz
vaadin-framework-b5cc119d1b120695b5e04b596372f2fb982a32d7.zip
Serve VAADIN files also from META-INF/resources (#8286) (#8320)
* Serve VAADIN files also from META-INF/resources (#8286) Fixes #8206
Diffstat
-rw-r--r--server/src/main/java/com/vaadin/server/VaadinServlet.java9
1 files changed, 5 insertions, 4 deletions
diff --git a/server/src/main/java/com/vaadin/server/VaadinServlet.java b/server/src/main/java/com/vaadin/server/VaadinServlet.java
index ea1ccf26a2..fae7b160c3 100644
--- a/server/src/main/java/com/vaadin/server/VaadinServlet.java
+++ b/server/src/main/java/com/vaadin/server/VaadinServlet.java
@@ -1140,6 +1140,7 @@ public class VaadinServlet extends HttpServlet implements Constants {
@Deprecated
protected boolean isAllowedVAADINResourceUrl(HttpServletRequest request,
URL resourceUrl) {
+ String resourcePath = resourceUrl.getPath();
if ("jar".equals(resourceUrl.getProtocol())) {
// This branch is used for accessing resources directly from the
// Vaadin JAR in development environments and in similar cases.
@@ -1149,8 +1150,8 @@ public class VaadinServlet extends HttpServlet implements Constants {
// However, performing a check in case some servers or class loaders
// try to normalize the path by collapsing ".." before the class
// loader sees it.
-
- if (!resourceUrl.getPath().contains("!/VAADIN/")) {
+ if (!resourcePath.contains("!/VAADIN/")
+ && !resourcePath.contains("!/META-INF/resources/VAADIN/")) {
getLogger().log(Level.INFO,
"Blocked attempt to access a JAR entry not starting with /VAADIN/: {0}",
resourceUrl);
@@ -1166,8 +1167,8 @@ public class VaadinServlet extends HttpServlet implements Constants {
// Check that the URL is in a VAADIN directory and does not contain
// "/../"
- if (!resourceUrl.getPath().contains("/VAADIN/")
- || resourceUrl.getPath().contains("/../")) {
+ if (!resourcePath.contains("/VAADIN/")
+ || resourcePath.contains("/../")) {
getLogger().log(Level.INFO,
"Blocked attempt to access file: {0}", resourceUrl);
return false;
generated by cgit v1.2.3 (git 2.39.1) at 2025-05-21 11:46:35 +0000