From e9a97953f122b2c82b4708029ae5d37c76b981a9 Mon Sep 17 00:00:00 2001 From: Artur Date: Sun, 22 Jan 2017 14:00:59 +0200 Subject: Serve VAADIN files also from META-INF/resources (#8286) Fixes #8206 --- server/src/main/java/com/vaadin/server/VaadinServlet.java | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) (limited to 'server') diff --git a/server/src/main/java/com/vaadin/server/VaadinServlet.java b/server/src/main/java/com/vaadin/server/VaadinServlet.java index 8409507846..3dfb5ba33c 100644 --- a/server/src/main/java/com/vaadin/server/VaadinServlet.java +++ b/server/src/main/java/com/vaadin/server/VaadinServlet.java @@ -1156,6 +1156,7 @@ public class VaadinServlet extends HttpServlet implements Constants { @Deprecated protected boolean isAllowedVAADINResourceUrl(HttpServletRequest request, URL resourceUrl) { + String resourcePath = resourceUrl.getPath(); if ("jar".equals(resourceUrl.getProtocol())) { // This branch is used for accessing resources directly from the // Vaadin JAR in development environments and in similar cases. @@ -1165,8 +1166,8 @@ public class VaadinServlet extends HttpServlet implements Constants { // However, performing a check in case some servers or class loaders // try to normalize the path by collapsing ".." before the class // loader sees it. - - if (!resourceUrl.getPath().contains("!/VAADIN/")) { + if (!resourcePath.contains("!/VAADIN/") + && !resourcePath.contains("!/META-INF/resources/VAADIN/")) { getLogger().log(Level.INFO, "Blocked attempt to access a JAR entry not starting with /VAADIN/: {0}", resourceUrl); @@ -1182,8 +1183,8 @@ public class VaadinServlet extends HttpServlet implements Constants { // Check that the URL is in a VAADIN directory and does not contain // "/../" - if (!resourceUrl.getPath().contains("/VAADIN/") - || resourceUrl.getPath().contains("/../")) { + if (!resourcePath.contains("/VAADIN/") + || resourcePath.contains("/../")) { getLogger().log(Level.INFO, "Blocked attempt to access file: {0}", resourceUrl); return false; -- cgit v1.2.3