diff options
4 files changed, 51 insertions, 26 deletions
diff --git a/server/src/main/java/com/vaadin/server/VaadinService.java b/server/src/main/java/com/vaadin/server/VaadinService.java index 740371aec1..b08597d37c 100644 --- a/server/src/main/java/com/vaadin/server/VaadinService.java +++ b/server/src/main/java/com/vaadin/server/VaadinService.java @@ -1085,17 +1085,22 @@ public abstract class VaadinService implements Serializable { } /** - * TODO PUSH Document * - * TODO Pass UI or VaadinSession? - * - * @param uI + * Finds the given theme resource from the web content folder or using the + * class loader and returns a stream for it + * + * @param ui + * The ui for which to find the resource * @param themeName + * The name of the theme * @param resource - * @return + * The name of the resource, e.g. "layouts/mycustomlayout.html" + * @return A stream for the resource or null if the resource was not found + * @throws IOException + * if a problem occurred while finding or opening the resource */ - public abstract InputStream getThemeResourceAsStream(UI uI, - String themeName, String resource); + public abstract InputStream getThemeResourceAsStream(UI ui, + String themeName, String resource) throws IOException; /** * Creates and returns a unique ID for the DIV where the UI is to be diff --git a/server/src/main/java/com/vaadin/server/VaadinServlet.java b/server/src/main/java/com/vaadin/server/VaadinServlet.java index d50bc8370d..75976f9c6e 100644 --- a/server/src/main/java/com/vaadin/server/VaadinServlet.java +++ b/server/src/main/java/com/vaadin/server/VaadinServlet.java @@ -746,7 +746,7 @@ public class VaadinServlet extends HttpServlet implements Constants { throws IOException, ServletException { final ServletContext sc = getServletContext(); - URL resourceUrl = findResourceURL(filename, sc); + URL resourceUrl = findResourceURL(filename); if (resourceUrl == null) { // File not found, if this was a css request we still look for a @@ -975,11 +975,21 @@ public class VaadinServlet extends HttpServlet implements Constants { } } - private URL findResourceURL(String filename, ServletContext sc) - throws MalformedURLException { - URL resourceUrl = sc.getResource(filename); + /** + * Finds the given resource from the web content folder or using the class + * loader. + * + * @since + * @param filename + * The file to find, starting with a "/" + * @return The URL to the given file, or null if the file was not found + * @throws IOException + * if there was a problem while locating the file + */ + protected URL findResourceURL(String filename) throws IOException { + URL resourceUrl = getServletContext().getResource(filename); if (resourceUrl == null) { - // try if requested file is found from classloader + // try if requested file is found from class loader // strip leading "/" otherwise stream from JAR wont work if (filename.startsWith("/")) { @@ -1000,7 +1010,7 @@ public class VaadinServlet extends HttpServlet implements Constants { String scssFilename = filename.substring(0, filename.length() - 4) + ".scss"; - URL scssUrl = findResourceURL(scssFilename, sc); + URL scssUrl = findResourceURL(scssFilename); if (scssUrl == null) { // Is a css request but no scss file was found return false; diff --git a/server/src/main/java/com/vaadin/server/VaadinServletService.java b/server/src/main/java/com/vaadin/server/VaadinServletService.java index 5faea1ce6c..7025d5f491 100644 --- a/server/src/main/java/com/vaadin/server/VaadinServletService.java +++ b/server/src/main/java/com/vaadin/server/VaadinServletService.java @@ -17,6 +17,7 @@ package com.vaadin.server; import java.io.File; +import java.io.IOException; import java.io.InputStream; import java.net.MalformedURLException; import java.net.URL; @@ -24,8 +25,8 @@ import java.util.List; import java.util.logging.Level; import java.util.logging.Logger; -import javax.servlet.ServletContext; import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; import com.vaadin.server.communication.PushRequestHandler; import com.vaadin.server.communication.ServletBootstrapHandler; @@ -201,14 +202,25 @@ public class VaadinServletService extends VaadinService { @Override public InputStream getThemeResourceAsStream(UI uI, String themeName, - String resource) { - VaadinServletService service = (VaadinServletService) uI.getSession() - .getService(); - ServletContext servletContext = service.getServlet() - .getServletContext(); - return servletContext.getResourceAsStream("/" - + VaadinServlet.THEME_DIR_PATH + '/' + themeName + "/" - + resource); + String resource) throws IOException { + String filename = "/" + VaadinServlet.THEME_DIR_PATH + '/' + themeName + + "/" + resource; + URL resourceUrl = servlet.findResourceURL(filename); + + if (resourceUrl != null) { + // security check: do not permit navigation out of the VAADIN + // directory + if (!servlet.isAllowedVAADINResourceUrl(null, resourceUrl)) { + throw new IOException( + String.format( + "Requested resource [{0}] not accessible in the VAADIN directory or access to it is forbidden.", + filename)); + } + + return resourceUrl.openStream(); + } else { + return null; + } } @Override diff --git a/server/src/main/java/com/vaadin/server/communication/ResourceWriter.java b/server/src/main/java/com/vaadin/server/communication/ResourceWriter.java index 2c5d1b409b..2834b3cea5 100644 --- a/server/src/main/java/com/vaadin/server/communication/ResourceWriter.java +++ b/server/src/main/java/com/vaadin/server/communication/ResourceWriter.java @@ -69,10 +69,8 @@ public class ResourceWriter implements Serializable { final String resource = (String) i.next(); InputStream is = null; try { - is = ui.getSession() - .getService() - .getThemeResourceAsStream(ui, manager.getTheme(ui), - resource); + is = ui.getSession().getService() + .getThemeResourceAsStream(ui, ui.getTheme(), resource); } catch (final Exception e) { // FIXME: Handle exception getLogger().log(Level.FINER, |