From 64d9caa1aad41d83c65ff2b523d61ee4274d3269 Mon Sep 17 00:00:00 2001
From: adavid9 <dawid.antecki7@gmail.com>
Date: Mon, 15 Jul 2019 22:17:36 +0200
Subject: [PATCH] Prevents navigation through the loader's directory structure

See gh-17262
---
 .../web/embedded/tomcat/TomcatServletWebServerFactory.java   | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/spring-boot-project/spring-boot/src/main/java/org/springframework/boot/web/embedded/tomcat/TomcatServletWebServerFactory.java b/spring-boot-project/spring-boot/src/main/java/org/springframework/boot/web/embedded/tomcat/TomcatServletWebServerFactory.java
index 131ff8d265cf..4c34e1d44dcf 100644
--- a/spring-boot-project/spring-boot/src/main/java/org/springframework/boot/web/embedded/tomcat/TomcatServletWebServerFactory.java
+++ b/spring-boot-project/spring-boot/src/main/java/org/springframework/boot/web/embedded/tomcat/TomcatServletWebServerFactory.java
@@ -31,6 +31,7 @@
 import java.util.List;
 import java.util.Locale;
 import java.util.Set;
+import java.util.stream.Collectors;
 
 import javax.servlet.ServletContainerInitializer;
 
@@ -91,6 +92,7 @@
  * @author Andy Wilkinson
  * @author Eddú Meléndez
  * @author Christoffer Sawicki
+ * @author Dawid Antecki
  * @since 2.0.0
  * @see #setPort(int)
  * @see #setContextLifecycleListeners(Collection)
@@ -813,7 +815,8 @@ public String[] list(String path) {
 
 		@Override
 		public Set<String> listWebAppPaths(String path) {
-			return this.delegate.listWebAppPaths(path);
+			return this.delegate.listWebAppPaths(path).stream()
+					.filter(p -> !p.startsWith("org/springframework/boot/loader")).collect(Collectors.toSet());
 		}
 
 		@Override