Skip to content

getResourcePaths(String) allows navigation through the loader's directory structure when using Tomcat #17262

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wilkinsona opened this issue Jun 19, 2019 · 6 comments
Labels
status: superseded An issue that has been superseded by another type: bug A general bug

Comments

@wilkinsona
Copy link
Member

While we prevent individual ServletContext.getResource(String) requests for the loader and do not allow it to be served static resources, when using Tomcat getResourcePath(String) will return paths that allow navigation of the loader's directory structure. The same is not possible when using Jetty. We should see if we can prevent it with Tomcat as well.

@larsgrefer
Copy link
Contributor

The fix for this should be trivial. Just filter out all paths starting with org/springframework/boot/loader in org.springframework.boot.web.embedded.tomcat.TomcatServletWebServerFactory.LoaderHidingWebResourceSet#listWebAppPaths

this might be a candidate for a first-timers-only issue

@adavid9

This comment has been minimized.

@snicoll

This comment has been minimized.

@adavid9

This comment has been minimized.

@snicoll

This comment has been minimized.

@wilkinsona
Copy link
Member Author

Closing in favour of #17538.

@wilkinsona wilkinsona removed this from the 2.1.x milestone Jul 18, 2019
@wilkinsona wilkinsona added the status: superseded An issue that has been superseded by another label Jul 18, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
status: superseded An issue that has been superseded by another type: bug A general bug
Projects
None yet
Development

No branches or pull requests

4 participants