diff options
| author | Artur <artur@vaadin.com> | 2017-01-22 14:00:59 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2017-01-22 14:00:59 +0200 |
| commit | e9a97953f122b2c82b4708029ae5d37c76b981a9 (patch) | |
| tree | 60be147bd20fb55ec6e15a09d7c4e64363d4bfc6 /server | |
| parent | 1d01e7ff58577e98c6eed91a8a317696b56cb5dd (diff) | |
| download | vaadin-framework-e9a97953f122b2c82b4708029ae5d37c76b981a9.tar.gz vaadin-framework-e9a97953f122b2c82b4708029ae5d37c76b981a9.zip | |
Serve VAADIN files also from META-INF/resources (#8286)
Fixes #8206
Diffstat (limited to 'server')
| -rw-r--r-- | server/src/main/java/com/vaadin/server/VaadinServlet.java | 9 |
1 files changed, 5 insertions, 4 deletions
diff --git a/server/src/main/java/com/vaadin/server/VaadinServlet.java b/server/src/main/java/com/vaadin/server/VaadinServlet.java index 8409507846..3dfb5ba33c 100644 --- a/server/src/main/java/com/vaadin/server/VaadinServlet.java +++ b/server/src/main/java/com/vaadin/server/VaadinServlet.java @@ -1156,6 +1156,7 @@ public class VaadinServlet extends HttpServlet implements Constants { @Deprecated protected boolean isAllowedVAADINResourceUrl(HttpServletRequest request, URL resourceUrl) { + String resourcePath = resourceUrl.getPath(); if ("jar".equals(resourceUrl.getProtocol())) { // This branch is used for accessing resources directly from the // Vaadin JAR in development environments and in similar cases. @@ -1165,8 +1166,8 @@ public class VaadinServlet extends HttpServlet implements Constants { // However, performing a check in case some servers or class loaders // try to normalize the path by collapsing ".." before the class // loader sees it. - - if (!resourceUrl.getPath().contains("!/VAADIN/")) { + if (!resourcePath.contains("!/VAADIN/") + && !resourcePath.contains("!/META-INF/resources/VAADIN/")) { getLogger().log(Level.INFO, "Blocked attempt to access a JAR entry not starting with /VAADIN/: {0}", resourceUrl); @@ -1182,8 +1183,8 @@ public class VaadinServlet extends HttpServlet implements Constants { // Check that the URL is in a VAADIN directory and does not contain // "/../" - if (!resourceUrl.getPath().contains("/VAADIN/") - || resourceUrl.getPath().contains("/../")) { + if (!resourcePath.contains("/VAADIN/") + || resourcePath.contains("/../")) { getLogger().log(Level.INFO, "Blocked attempt to access file: {0}", resourceUrl); return false; |