From ce497adfbdb6875e3cbe783cfc280999a9ae04d9 Mon Sep 17 00:00:00 2001 From: Tatu Lund Date: Tue, 19 Nov 2019 14:31:18 +0200 Subject: Decode path in getStaticFilePath (#11812) * Decode path in getStaticFilePath Some containers do not decode path when using getPathInfo, in case path has not been decoded there is a risk for path traversal vulnerability. --- .../main/java/com/vaadin/server/VaadinServlet.java | 29 ++++++++++++++++++---- 1 file changed, 24 insertions(+), 5 deletions(-) (limited to 'server/src/main') diff --git a/server/src/main/java/com/vaadin/server/VaadinServlet.java b/server/src/main/java/com/vaadin/server/VaadinServlet.java index b0d270accb..e7e57a1278 100644 --- a/server/src/main/java/com/vaadin/server/VaadinServlet.java +++ b/server/src/main/java/com/vaadin/server/VaadinServlet.java @@ -28,11 +28,13 @@ import java.io.OutputStream; import java.io.OutputStreamWriter; import java.io.PrintWriter; import java.io.Serializable; +import java.io.UnsupportedEncodingException; import java.lang.reflect.Method; import java.net.MalformedURLException; import java.net.URISyntaxException; import java.net.URL; import java.net.URLConnection; +import java.net.URLDecoder; import java.nio.charset.Charset; import java.nio.charset.StandardCharsets; import java.util.ArrayList; @@ -1348,16 +1350,33 @@ public class VaadinServlet extends HttpServlet implements Constants { * @since 8.0 */ protected String getStaticFilePath(HttpServletRequest request) { - String pathInfo = request.getPathInfo(); - if (pathInfo == null) { + if (request.getPathInfo() == null) { return null; } + String decodedPath = null; + String contextPath = null; + try { + // pathInfo should be already decoded, but some containers do not decode it, + // hence we use getRequestURI instead. + decodedPath = URLDecoder.decode(request.getRequestURI(), StandardCharsets.UTF_8.name()); + contextPath = URLDecoder.decode(request.getContextPath(), StandardCharsets.UTF_8.name()); + } catch (UnsupportedEncodingException e) { + throw new RuntimeException("An error occurred during decoding URL.",e); + } + // Possible context path needs to be removed + String filePath = decodedPath.substring(contextPath.length()); + String servletPath = request.getServletPath(); + // Possible servlet path needs to be removed + if (!servletPath.isEmpty() && !servletPath.equals("/VAADIN") + && filePath.startsWith(servletPath)) { + filePath = filePath.substring(servletPath.length()); + } // Servlet mapped as /* serves at /VAADIN // Servlet mapped as /foo/bar/* serves at /foo/bar/VAADIN - if (pathInfo.startsWith("/VAADIN/")) { - return pathInfo; + if (filePath.startsWith("/VAADIN/")) { + return filePath; } - String servletPrefixedPath = request.getServletPath() + pathInfo; + String servletPrefixedPath = servletPath + filePath; // Servlet mapped as /VAADIN/* if (servletPrefixedPath.startsWith("/VAADIN/")) { return servletPrefixedPath; -- cgit v1.2.3