From 03380810ef09c5e4890664d572873dab818cb09f Mon Sep 17 00:00:00 2001
From: Rich Turner <richard.turner83@gmail.com>
Date: Mon, 17 Feb 2020 15:22:44 +0000
Subject: [PATCH] Fix for path traversal vulnerability for HttpHandlers that
 serve files using FileServlet (should change to undertow PathResourceManager)

---
 .../java/org/openremote/manager/web/ManagerWebService.java   | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/manager/src/main/java/org/openremote/manager/web/ManagerWebService.java b/manager/src/main/java/org/openremote/manager/web/ManagerWebService.java
index 6ec70f4da8..6d1383d593 100644
--- a/manager/src/main/java/org/openremote/manager/web/ManagerWebService.java
+++ b/manager/src/main/java/org/openremote/manager/web/ManagerWebService.java
@@ -20,6 +20,7 @@
 package org.openremote.manager.web;
 
 import io.undertow.server.HttpHandler;
+import io.undertow.server.handlers.CanonicalPathHandler;
 import io.undertow.server.handlers.PathHandler;
 import io.undertow.server.handlers.RedirectHandler;
 import io.undertow.servlet.Servlets;
@@ -30,7 +31,6 @@
 import org.jboss.resteasy.plugins.server.servlet.ResteasyContextParameters;
 import org.jboss.resteasy.spi.ResteasyDeployment;
 import org.openremote.container.Container;
-import org.openremote.container.ContainerService;
 import org.openremote.container.security.IdentityService;
 import org.openremote.container.web.WebService;
 import org.openremote.container.web.jsapi.JSAPIServlet;
@@ -309,10 +309,11 @@ protected HttpHandler createJsApiHandler(IdentityService identityService, Restea
         return addServletDeployment(identityService, deploymentInfo, false);
     }
 
+    // TODO: Switch to use PathResourceManager
     public HttpHandler createFileHandler(boolean devMode, IdentityService identityService, Path filePath, String[] requiredRoles) {
         requiredRoles = requiredRoles == null ? new String[0] : requiredRoles;
         DeploymentInfo deploymentInfo = ManagerFileServlet.createDeploymentInfo(devMode, "", filePath, requiredRoles);
-        return addServletDeployment(identityService, deploymentInfo, requiredRoles.length != 0);
+        return new CanonicalPathHandler(addServletDeployment(identityService, deploymentInfo, requiredRoles.length != 0));
     }
 
     @Override