opendev/gerrit
Code Issues Proposed changes

Don't allow the static servlet to serve paths with "\" in them

Browse Source 
On Windows that might be a path separator character.  We don't
serve subdirectories from the $site_path/static directory.

Signed-off-by: Shawn O. Pearce <sop@google.com>
This commit is contained in:
Shawn O. Pearce
2009-01-06 12:06:37 -08:00
parent 2e2d5a8582
commit 06fa386793
1 changed files with 17 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
appjar/src/main/java/com/google/gerrit/server/StaticServlet.java
View File

@@ -108,11 +108,24 @@ public class StaticServlet extends HttpServlet {
private File local(final HttpServletRequest req) { private File local(final HttpServletRequest req) {
final String name = req.getPathInfo(); final String name = req.getPathInfo();
if (name.startsWith("/") && name.length() > 1 && name.indexOf('/', 1) < 0) { if (name.length() < 2 || !name.startsWith("/")) {
final File p = new File(staticBase, name.substring(1)); // Too short to be a valid file name, or doesn't start with
return p.isFile() ? p : null; // the path info separator like we expected.
//
return null;
} }
return null;
if (name.indexOf('/', 1) > 0 || name.indexOf('\\', 1) > 0) {
// Contains a path separator. Don't serve it as the client
// might be trying something evil like "/../../etc/passwd".
// This static servlet is just meant to facilitate simple
// assets like banner images.
//
return null;
}
final File p = new File(staticBase, name.substring(1));
return p.isFile() ? p : null;
} }
@Override @Override