You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
While we prevent individual ServletContext.getResource(String) requests for the loader and do not allow it to be served static resources, when using Tomcat getResourcePath(String) will return paths that allow navigation of the loader's directory structure. The same is not possible when using Jetty. We should see if we can prevent it with Tomcat as well.
The text was updated successfully, but these errors were encountered:
The fix for this should be trivial. Just filter out all paths starting with org/springframework/boot/loader in org.springframework.boot.web.embedded.tomcat.TomcatServletWebServerFactory.LoaderHidingWebResourceSet#listWebAppPaths
this might be a candidate for a first-timers-only issue
While we prevent individual
ServletContext.getResource(String)
requests for the loader and do not allow it to be served static resources, when using TomcatgetResourcePath(String)
will return paths that allow navigation of the loader's directory structure. The same is not possible when using Jetty. We should see if we can prevent it with Tomcat as well.The text was updated successfully, but these errors were encountered: