JETTY-980 & JETTY-1004

git-svn-id: svn+ssh://dev.eclipse.org/svnroot/rt/org.eclipse.jetty/jetty/trunk@199 7e9141cc-0065-0410-87d8-b60c137991c4
jetty · Apr 30, 2009 · 456a001 · 456a001
1 parent 79edb1e
commit 456a001
Show file tree

Hide file tree

Showing 9 changed files with 412 additions and 32 deletions.
diff --git a/VERSION.txt b/VERSION.txt
@@ -1,9 +1,11 @@
 jetty-7.0.0.M2-SNAPSHOT
  + JETTY-941 Linux chkconfig hint
- + JETTY-959 CGI servlet doesn't kill the CGI in case the client disconnects
+ + JETTY-959 CGI servlet doesn't kill the CGI in case the client disconnects 
+ + JETTY-980 Fixed ResourceHandler ? handling, and bad URI creation in listings
  + JETTY-996 Make start-stop-daemon optional
  + 273767 Update to use geronimo annotations spec 1.1.1
  + JETTY-1003 java.lang.IllegalArgumentException: timeout can't be negative
+ + JETTY-1004 Canonical path handling includes ? in path segment
 
 jetty-7.0.0.M1 22 April 2009
  + 271258 FORM Authentication dispatch handling avoids caching

diff --git a/jetty-embedded-examples/src/main/java/org/eclipse/jetty/embedded/FileServer.java b/jetty-embedded-examples/src/main/java/org/eclipse/jetty/embedded/FileServer.java
@@ -23,6 +23,7 @@
 import org.eclipse.jetty.server.handler.DefaultHandler;
 import org.eclipse.jetty.server.handler.HandlerList;
 import org.eclipse.jetty.server.handler.ResourceHandler;
+import org.eclipse.jetty.util.log.Log;
 import org.eclipse.jetty.util.resource.Resource;
 
 /* ------------------------------------------------------------ */
@@ -47,9 +48,10 @@ protected void doDirectory(HttpServletRequest request, HttpServletResponse respo
                 response.getWriter().println(listing);
             }
         };
+        resource_handler.setWelcomeFiles(new String[]{"index.html"});
 
         resource_handler.setResourceBase(args.length==2?args[1]:".");
-
+        Log.info("serving "+resource_handler.getBaseResource());
         HandlerList handlers = new HandlerList();
         handlers.setHandlers(new Handler[]{resource_handler,new DefaultHandler()});
         server.setHandler(handlers);

diff --git a/jetty-server/src/main/java/org/eclipse/jetty/server/Response.java b/jetty-server/src/main/java/org/eclipse/jetty/server/Response.java
@@ -32,6 +32,7 @@
 import org.eclipse.jetty.http.HttpHeaderValues;
 import org.eclipse.jetty.http.HttpHeaders;
 import org.eclipse.jetty.http.HttpStatus;
+import org.eclipse.jetty.http.HttpURI;
 import org.eclipse.jetty.http.HttpVersions;
 import org.eclipse.jetty.http.MimeTypes;
 import org.eclipse.jetty.io.BufferCache.CachedBuffer;
@@ -419,12 +420,12 @@ public void sendRedirect(String location) throws IOException
         {
             StringBuilder buf = _connection.getRequest().getRootURL();
             if (location.startsWith("/"))
-                buf.append(URIUtil.canonicalPath(location));
+                buf.append(location);
             else
             {
                 String path=_connection.getRequest().getRequestURI();
                 String parent=(path.endsWith("/"))?path:URIUtil.parentPath(path);
-                location=URIUtil.canonicalPath(URIUtil.addPaths(parent,location));
+                location=URIUtil.addPaths(parent,location);
                 if(location==null)
                     throw new IllegalStateException("path cannot be above root");
                 if (!location.startsWith("/"))
@@ -433,6 +434,27 @@ public void sendRedirect(String location) throws IOException
             }
 
             location=buf.toString();
+            HttpURI uri = new HttpURI(location);
+            String path=uri.getDecodedPath();
+            String canonical=URIUtil.canonicalPath(path);
+            if (canonical==null)
+                throw new IllegalArgumentException();
+            if (!canonical.equals(path))
+            {
+                buf = _connection.getRequest().getRootURL();
+                buf.append(canonical);
+                if (uri.getQuery()!=null)
+                {
+                    buf.append('?');
+                    buf.append(uri.getQuery());
+                }
+                if (uri.getFragment()!=null)
+                {
+                    buf.append('#');
+                    buf.append(uri.getFragment());
+                }
+                location=buf.toString();
+            }
         }
         resetBuffer();
 

diff --git a/jetty-server/src/main/java/org/eclipse/jetty/server/handler/ResourceHandler.java b/jetty-server/src/main/java/org/eclipse/jetty/server/handler/ResourceHandler.java
@@ -36,6 +36,7 @@
 import org.eclipse.jetty.util.TypeUtil;
 import org.eclipse.jetty.util.URIUtil;
 import org.eclipse.jetty.util.log.Log;
+import org.eclipse.jetty.util.resource.FileResource;
 import org.eclipse.jetty.util.resource.Resource;
 
 
@@ -56,6 +57,7 @@ public class ResourceHandler extends AbstractHandler
     String[] _welcomeFiles={"index.html"};
     MimeTypes _mimeTypes = new MimeTypes();
     ByteArrayBuffer _cacheControl;
+    boolean _aliases;
 
     /* ------------------------------------------------------------ */
     public ResourceHandler()
@@ -74,12 +76,41 @@ public void setMimeTypes(MimeTypes mimeTypes)
         _mimeTypes = mimeTypes;
     }
 
+    /* ------------------------------------------------------------ */
+    /**
+     * @return True if resource aliases are allowed.
+     */
+    public boolean isAliases()
+    {
+        return _aliases;
+    }
+
+    /* ------------------------------------------------------------ */
+    /**
+     * Set if resource aliases (eg symlink, 8.3 names, case insensitivity) are allowed.
+     * Allowing aliases can significantly increase security vulnerabilities.
+     * If this handler is deployed inside a ContextHandler, then the 
+     * {@link ContextHandler#isAliases()} takes precedent.
+     * @param aliases True if aliases are supported.
+     */
+    public void setAliases(boolean aliases)
+    {
+        _aliases = aliases;
+    }
+
     /* ------------------------------------------------------------ */
     public void doStart()
     throws Exception
     {
         Context scontext = ContextHandler.getCurrentContext();
         _context = (scontext==null?null:scontext.getContextHandler());
+
+        if (_context!=null)
+            _aliases=_context.isAliases();
+
+        if (!_aliases && !FileResource.getCheckAliases())
+            throw new IllegalStateException("Alias checking disabled");
+
         super.doStart();
     }
 
@@ -239,6 +270,11 @@ public void handle(String target, HttpServletRequest request, HttpServletRespons
 
         if (resource==null || !resource.exists())
             return;
+        if (!_aliases && resource.getAlias()!=null)
+        {
+            Log.info(resource+" aliased to "+resource.getAlias());
+            return;
+        }
 
         // We are going to server something
         base_request.setHandled(true);

diff --git a/jetty-servlet/src/main/java/org/eclipse/jetty/servlet/DefaultServlet.java b/jetty-servlet/src/main/java/org/eclipse/jetty/servlet/DefaultServlet.java
@@ -52,6 +52,7 @@
 import org.eclipse.jetty.util.TypeUtil;
 import org.eclipse.jetty.util.URIUtil;
 import org.eclipse.jetty.util.log.Log;
+import org.eclipse.jetty.util.resource.FileResource;
 import org.eclipse.jetty.util.resource.Resource;
 import org.eclipse.jetty.util.resource.ResourceFactory;
 
@@ -154,9 +155,13 @@ public void init()
         _redirectWelcome=getInitBoolean("redirectWelcome",_redirectWelcome);
         _gzip=getInitBoolean("gzip",_gzip);
 
-        String aliases=_servletContext.getInitParameter("aliases");
-        if (aliases!=null)
-            _contextHandler.setAliases(Boolean.parseBoolean(aliases));
+        if (getInitParameter("aliases")!=null)
+            _contextHandler.setAliases(getInitBoolean("aliases",false));
+        boolean aliases=_contextHandler.isAliases();
+        if (!aliases && !FileResource.getCheckAliases())
+            throw new IllegalStateException("Alias checking disabled");
+        if (aliases)
+            _servletContext.log("Aliases are enabled");
 
         _useFileMappedBuffer=getInitBoolean("useFileMappedBuffer",_useFileMappedBuffer);