Skip to content

getResourcePaths(String) allows navigation through the loader's directory structure when using Tomcat #17262

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wilkinsona opened this issue Jun 19, 2019 · 6 comments
Closed

getResourcePaths(String) allows navigation through the loader's directory structure when using Tomcat #17262

wilkinsona opened this issue Jun 19, 2019 · 6 comments
Labels
status: superseded An issue that has been superseded by another type: bug A general bug

Comments

@wilkinsona
Copy link
Member

While we prevent individual ServletContext.getResource(String) requests for the loader and do not allow it to be served static resources, when using Tomcat getResourcePath(String) will return paths that allow navigation of the loader's directory structure. The same is not possible when using Jetty. We should see if we can prevent it with Tomcat as well.
@wilkinsona wilkinsona added the type: bug A general bug label Jun 19, 2019
@wilkinsona wilkinsona added this to the 2.1.x milestone Jun 19, 2019
@wilkinsona wilkinsona mentioned this issue Jun 19, 2019
Closed
@larsgrefer
Copy link
Contributor

The fix for this should be trivial. Just filter out all paths starting with org/springframework/boot/loader in org.springframework.boot.web.embedded.tomcat.TomcatServletWebServerFactory.LoaderHidingWebResourceSet#listWebAppPaths

this might be a candidate for a first-timers-only issue

@adavid9 adavid9 mentioned this issue Jul 15, 2019
Closed
@adavid9

This comment has been minimized.

Sign in to view
@snicoll

This comment has been minimized.

Sign in to view
adavid9 added a commit to adavid9/spring-boot that referenced this issue Jul 16, 2019
@adavid9
Prevents navigation through the loader's directory structure
9d9d9d6 
See spring-projectsgh-17262
@adavid9 adavid9 mentioned this issue Jul 16, 2019
Closed
@adavid9

This comment has been minimized.

Sign in to view
@snicoll

This comment has been minimized.

Sign in to view
@wilkinsona
Copy link
Member Author

Closing in favour of #17538.

@wilkinsona wilkinsona removed this from the 2.1.x milestone Jul 18, 2019
@wilkinsona wilkinsona added the status: superseded An issue that has been superseded by another label Jul 18, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
status: superseded An issue that has been superseded by another type: bug A general bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@snicoll @wilkinsona @larsgrefer @adavid9