Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issue #6473 - Improve alias checking in PathResource. #6477

Merged
merged 4 commits into from Jun 29, 2021
Merged

Issue #6473 - Improve alias checking in PathResource. #6477

merged 4 commits into from Jun 29, 2021

Conversation

sbordet
Copy link
Contributor

@sbordet sbordet commented Jun 28, 2021
edited by lachlan-roberts

Issue #6473

  • Reverted %-escape handling for URI query parts.
  • Performing canonicalization in ServletContext.getResource(),
    and improving alias checking in ContextHandler.getResource().
  • Performing canonicalization checks in Resource.addPath() to avoid
    navigation above of the root.
  • Test added and fixed.
  • Various cleanups.

Signed-off-by: Simone Bordet simone.bordet@gmail.com

@sbordet
Copy link
Contributor Author

sbordet commented Jun 28, 2021

@gregw see RequestURITest:88 for TODO to add more tests.

@gregw
Copy link
Contributor

gregw commented Jun 28, 2021

@sbordet added test

gregw
gregw previously approved these changes Jun 28, 2021
View reviewed changes
Copy link
Contributor

@gregw gregw left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just needs a few more comments.... I'll do that now.

jetty-server/src/main/java/org/eclipse/jetty/server/handler/ContextHandler.java Show resolved Hide resolved
jetty-util/src/main/java/org/eclipse/jetty/util/resource/PathResource.java Show resolved Hide resolved
jetty-util/src/main/java/org/eclipse/jetty/util/resource/Resource.java Show resolved Hide resolved
gregw
gregw previously approved these changes Jun 28, 2021
View reviewed changes
@sbordet @gregw
Issue #6473 - Improve alias checking in PathResource.
2e75feb 
* Reverted %-escape handling for URI query parts.
* Performing canonicalization in ServletContext.getResource(),
  and improving alias checking in ContextHandler.getResource().
* Performing canonicalization checks in Resource.addPath() to avoid
  navigation above of the root.
* Test added and fixed.
* Various cleanups.
* Improved javadoc and comments

Signed-off-by: Simone Bordet <simone.bordet@gmail.com>
@gregw gregw force-pushed the jetty-9.4.x-6473-improve-alias-checking branch from 5f61a00 to 2e75feb Compare June 29, 2021 01:03
@gregw gregw self-requested a review June 29, 2021 01:52
gregw
gregw previously approved these changes Jun 29, 2021
View reviewed changes
@gregw
canonicalPath Refactor
e633ed0 
restored removed method as deprecated
@gregw
canonicalPath Refactor
82a1ecb 
restored removed method as deprecated
@lachlan-roberts lachlan-roberts mentioned this pull request Jun 29, 2021
Merged
@lachlan-roberts lachlan-roberts added this to In progress in Jetty 10.0.6/11.0.6 FROZEN via automation Jun 29, 2021
@lachlan-roberts lachlan-roberts removed this from In progress in Jetty 10.0.6/11.0.6 FROZEN Jun 29, 2021
@lachlan-roberts lachlan-roberts added this to In progress in Jetty 9.4.43 FROZEN via automation Jun 29, 2021
@gregw gregw self-requested a review June 29, 2021 05:29
Jetty 9.4.43 FROZEN automation moved this from In progress to Reviewer approved Jun 29, 2021
gregw
gregw previously approved these changes Jun 29, 2021
View reviewed changes
@gregw
canonicalPath Refactor
8712df3 
use UriCompliance.Violation
@gregw gregw dismissed stale reviews from lachlan-roberts and themself via 8712df3 June 29, 2021 11:23
Jetty 9.4.43 FROZEN automation moved this from Reviewer approved to Review in progress Jun 29, 2021
@sbordet sbordet merged commit f045b5a into jetty-9.4.x Jun 29, 2021
Jetty 9.4.43 FROZEN automation moved this from Review in progress to Done Jun 29, 2021
@sbordet sbordet deleted the jetty-9.4.x-6473-improve-alias-checking branch June 29, 2021 13:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gregw gregw gregw left review comments

@lachlan-roberts lachlan-roberts lachlan-roberts left review comments

@joakime joakime Awaiting requested review from joakime

Assignees
No one assigned
Labels
None yet
Projects
No open projects
Jetty 9.4.43 FROZEN
  
Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@sbordet @gregw @lachlan-roberts