root
/
spring-boot
mirror of https://github.com/spring-projects/spring-boot.git
1
0
Fork 0
Code Issues Actions 4 Packages Projects Releases Wiki Activity

Prevent Undertow from exposing classpath files 

Update `UndertowEmbeddedServletContainerFactory` so that the
`ClassPathResourceManager` is no longer registered by default.

Prior to this commit the resource manager would be registered whenever
a valid document root could not be found. This had the effect of
exposing all classpath files.

Fixes gh-4015
This commit is contained in:
Phillip Webb 2015-10-15 16:02:41 -07:00
parent 56643222cf
commit c804299c8d
2 changed files with 12 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
spring-boot/src/main/java/org/springframework/boot/context/embedded/undertow/UndertowEmbeddedServletContainerFactory.java
View File

@ -56,7 +56,6 @@ import org.xnio.SslClientAuthMode;
import io.undertow.Undertow; import io.undertow.Undertow;
import io.undertow.Undertow.Builder; import io.undertow.Undertow.Builder;
import io.undertow.UndertowMessages; import io.undertow.UndertowMessages;
import io.undertow.server.handlers.resource.ClassPathResourceManager;
import io.undertow.server.handlers.resource.FileResourceManager; import io.undertow.server.handlers.resource.FileResourceManager;
import io.undertow.server.handlers.resource.Resource; import io.undertow.server.handlers.resource.Resource;
import io.undertow.server.handlers.resource.ResourceChangeListener; import io.undertow.server.handlers.resource.ResourceChangeListener;
@ -370,10 +369,7 @@ public class UndertowEmbeddedServletContainerFactory
if (root != null && root.isFile()) { if (root != null && root.isFile()) {
return new JarResourcemanager(root); return new JarResourcemanager(root);
} }
if (this.resourceLoader != null) { return ResourceManager.EMPTY_RESOURCE_MANAGER;
return new ClassPathResourceManager(this.resourceLoader.getClassLoader(), "");
}
return new ClassPathResourceManager(getClass().getClassLoader(), "");
} }
private void configureErrorPages(DeploymentInfo servletBuilder) { private void configureErrorPages(DeploymentInfo servletBuilder) {

11
spring-boot/src/test/java/org/springframework/boot/context/embedded/AbstractEmbeddedServletContainerFactoryTests.java
View File

@ -482,6 +482,17 @@ public abstract class AbstractEmbeddedServletContainerFactoryTests {
equalTo("test")); equalTo("test"));
} }
@Test
public void cannotReadClassPathFiles() throws Exception {
AbstractEmbeddedServletContainerFactory factory = getFactory();
this.container = factory
.getEmbeddedServletContainer(exampleServletRegistration());
this.container.start();
ClientHttpResponse response = getClientResponse(
getLocalUrl("/org/springframework/boot/SpringApplication.class"));
assertThat(response.getStatusCode(), equalTo(HttpStatus.NOT_FOUND));
}
private Ssl getSsl(ClientAuth clientAuth, String keyPassword, String keyStore) { private Ssl getSsl(ClientAuth clientAuth, String keyPassword, String keyStore) {
return getSsl(clientAuth, keyPassword, keyStore, null); return getSsl(clientAuth, keyPassword, keyStore, null);
} }