summaryrefslogtreecommitdiffstats
path: root/server
diff options
context:
space:
mode:
Diffstat (limited to 'server')
-rw-r--r--server/src/main/java/com/vaadin/server/VaadinServlet.java9
1 files changed, 5 insertions, 4 deletions
diff --git a/server/src/main/java/com/vaadin/server/VaadinServlet.java b/server/src/main/java/com/vaadin/server/VaadinServlet.java
index 8409507846..3dfb5ba33c 100644
--- a/server/src/main/java/com/vaadin/server/VaadinServlet.java
+++ b/server/src/main/java/com/vaadin/server/VaadinServlet.java
@@ -1156,6 +1156,7 @@ public class VaadinServlet extends HttpServlet implements Constants {
@Deprecated
protected boolean isAllowedVAADINResourceUrl(HttpServletRequest request,
URL resourceUrl) {
+ String resourcePath = resourceUrl.getPath();
if ("jar".equals(resourceUrl.getProtocol())) {
// This branch is used for accessing resources directly from the
// Vaadin JAR in development environments and in similar cases.
@@ -1165,8 +1166,8 @@ public class VaadinServlet extends HttpServlet implements Constants {
// However, performing a check in case some servers or class loaders
// try to normalize the path by collapsing ".." before the class
// loader sees it.
-
- if (!resourceUrl.getPath().contains("!/VAADIN/")) {
+ if (!resourcePath.contains("!/VAADIN/")
+ && !resourcePath.contains("!/META-INF/resources/VAADIN/")) {
getLogger().log(Level.INFO,
"Blocked attempt to access a JAR entry not starting with /VAADIN/: {0}",
resourceUrl);
@@ -1182,8 +1183,8 @@ public class VaadinServlet extends HttpServlet implements Constants {
// Check that the URL is in a VAADIN directory and does not contain
// "/../"
- if (!resourceUrl.getPath().contains("/VAADIN/")
- || resourceUrl.getPath().contains("/../")) {
+ if (!resourcePath.contains("/VAADIN/")
+ || resourcePath.contains("/../")) {
getLogger().log(Level.INFO,
"Blocked attempt to access file: {0}", resourceUrl);
return false;
generated by cgit v1.2.3 (git 2.39.1) at 2025-01-20 20:31:12 +0000