From dc4ce2ef4905ab0a4576411af0adb562940841a1 Mon Sep 17 00:00:00 2001 From: Anna Koskinen Date: Fri, 22 Nov 2019 10:56:54 +0200 Subject: Add support for excess slashes within static file request path. (#11827) (#11829) --- .../main/java/com/vaadin/server/VaadinServlet.java | 33 +++++++++++++++++----- .../java/com/example/VaadinSpringBootSmokeIT.java | 14 +++++++++ 2 files changed, 40 insertions(+), 7 deletions(-) diff --git a/server/src/main/java/com/vaadin/server/VaadinServlet.java b/server/src/main/java/com/vaadin/server/VaadinServlet.java index e7e57a1278..794cfdd1d6 100644 --- a/server/src/main/java/com/vaadin/server/VaadinServlet.java +++ b/server/src/main/java/com/vaadin/server/VaadinServlet.java @@ -48,6 +48,7 @@ import java.util.Map; import java.util.Properties; import java.util.logging.Level; import java.util.logging.Logger; +import java.util.regex.Pattern; import javax.servlet.ServletConfig; import javax.servlet.ServletContext; @@ -760,6 +761,13 @@ public class VaadinServlet extends HttpServlet implements Constants { */ private static boolean scssCompileWarWarningEmitted = false; + /** + * Pattern for matching request paths that start with /VAADIN/, multiple + * slashes allowed on either side. + */ + private static Pattern staticFileRequestPathPatternVaadin = Pattern + .compile("^/+VAADIN/.*"); + /** * Returns the default theme. Must never return null. * @@ -1356,26 +1364,37 @@ public class VaadinServlet extends HttpServlet implements Constants { String decodedPath = null; String contextPath = null; try { - // pathInfo should be already decoded, but some containers do not decode it, - // hence we use getRequestURI instead. - decodedPath = URLDecoder.decode(request.getRequestURI(), StandardCharsets.UTF_8.name()); - contextPath = URLDecoder.decode(request.getContextPath(), StandardCharsets.UTF_8.name()); + // pathInfo should be already decoded, but some containers do not + // decode it, hence we use getRequestURI instead. + decodedPath = URLDecoder.decode(request.getRequestURI(), + StandardCharsets.UTF_8.name()); + contextPath = URLDecoder.decode(request.getContextPath(), + StandardCharsets.UTF_8.name()); } catch (UnsupportedEncodingException e) { - throw new RuntimeException("An error occurred during decoding URL.",e); + throw new RuntimeException("An error occurred during decoding URL.", + e); } // Possible context path needs to be removed String filePath = decodedPath.substring(contextPath.length()); String servletPath = request.getServletPath(); // Possible servlet path needs to be removed - if (!servletPath.isEmpty() && !servletPath.equals("/VAADIN") + if (!servletPath.isEmpty() && !servletPath.equals("/VAADIN") && filePath.startsWith(servletPath)) { filePath = filePath.substring(servletPath.length()); } // Servlet mapped as /* serves at /VAADIN // Servlet mapped as /foo/bar/* serves at /foo/bar/VAADIN - if (filePath.startsWith("/VAADIN/")) { + + // Matches request paths /VAADIN/*, //VAADIN/* etc. + if (staticFileRequestPathPatternVaadin.matcher(filePath).matches()) { + // Remove any extra slashes from the beginning, + // later occurrences don't interfere + while (filePath.startsWith("//")) { + filePath = filePath.substring(1); + } return filePath; } + String servletPrefixedPath = servletPath + filePath; // Servlet mapped as /VAADIN/* if (servletPrefixedPath.startsWith("/VAADIN/")) { diff --git a/test/spring-boot-subcontext/src/test/java/com/example/VaadinSpringBootSmokeIT.java b/test/spring-boot-subcontext/src/test/java/com/example/VaadinSpringBootSmokeIT.java index f6f3db6243..bbd0bc628f 100644 --- a/test/spring-boot-subcontext/src/test/java/com/example/VaadinSpringBootSmokeIT.java +++ b/test/spring-boot-subcontext/src/test/java/com/example/VaadinSpringBootSmokeIT.java @@ -39,6 +39,13 @@ public class VaadinSpringBootSmokeIT extends TestBenchTestCase { @Test public void testPageLoadsAndButtonWorks() { + getDriver().navigate() + .to("http://localhost:" + port + DemoApplication.CONTEXT); + runSmokeTest(); + } + + @Test + public void testPageLoadsAndButtonWorksWithExtraSlash() { getDriver().navigate() .to("http://localhost:" + port + "/" + DemoApplication.CONTEXT); runSmokeTest(); @@ -46,6 +53,13 @@ public class VaadinSpringBootSmokeIT extends TestBenchTestCase { @Test public void testSubPathPageLoadsAndButtonWorks() { + getDriver().navigate().to("http://localhost:" + port + + DemoApplication.CONTEXT + "/" + SubPathUI.SUBPATH); + runSmokeTest(); + } + + @Test + public void testSubPathPageLoadsAndButtonWorksWithExtraSlash() { getDriver().navigate().to("http://localhost:" + port + "/" + DemoApplication.CONTEXT + "/" + SubPathUI.SUBPATH); runSmokeTest(); -- cgit v1.2.3