Fix for path traversal vulnerability for HttpHandlers that serve file…

…s using FileServlet (should change to undertow PathResourceManager)
openremote · Feb 17, 2020 · 0338081 · 0338081
1 parent f46dac1
commit 0338081
Showing 1 changed file with 3 additions and 2 deletions.
diff --git a/manager/src/main/java/org/openremote/manager/web/ManagerWebService.java b/manager/src/main/java/org/openremote/manager/web/ManagerWebService.java
@@ -20,6 +20,7 @@
 package org.openremote.manager.web;
 
 import io.undertow.server.HttpHandler;
+import io.undertow.server.handlers.CanonicalPathHandler;
 import io.undertow.server.handlers.PathHandler;
 import io.undertow.server.handlers.RedirectHandler;
 import io.undertow.servlet.Servlets;
@@ -30,7 +31,6 @@
 import org.jboss.resteasy.plugins.server.servlet.ResteasyContextParameters;
 import org.jboss.resteasy.spi.ResteasyDeployment;
 import org.openremote.container.Container;
-import org.openremote.container.ContainerService;
 import org.openremote.container.security.IdentityService;
 import org.openremote.container.web.WebService;
 import org.openremote.container.web.jsapi.JSAPIServlet;
@@ -309,10 +309,11 @@ protected HttpHandler createJsApiHandler(IdentityService identityService, Restea
         return addServletDeployment(identityService, deploymentInfo, false);
     }
 
+    // TODO: Switch to use PathResourceManager
     public HttpHandler createFileHandler(boolean devMode, IdentityService identityService, Path filePath, String[] requiredRoles) {
         requiredRoles = requiredRoles == null ? new String[0] : requiredRoles;
         DeploymentInfo deploymentInfo = ManagerFileServlet.createDeploymentInfo(devMode, "", filePath, requiredRoles);
-        return addServletDeployment(identityService, deploymentInfo, requiredRoles.length != 0);
+        return new CanonicalPathHandler(addServletDeployment(identityService, deploymentInfo, requiredRoles.length != 0));
     }
 
     @Override