Loading...

Type: Bug
Resolution: Duplicate
Priority: Blocker
Fix Version/s: None
Affects Version/s: 8.2.0.Final
Component/s: Web (Undertow)
Labels:
None

Workaround Description:
Hide

Applying the following changes to undertow addresses this:

undertow$ git diff diff --git a/core/src/main/java/io/undertow/server/handlers/resource/FileResourceManager.java b/core/src/main/java/io/undertow/server/handlers/resource/FileResourceManager.java --- a/core/src/main/java/io/undertow/server/handlers/resource/FileResourceManager.java +++ b/core/src/main/java/io/undertow/server/handlers/resource/FileResourceManager.java @@ -135,6 +135,8 @@ public class FileResourceManager implements ResourceManager { if(path.endsWith("/") && ! file.isDirectory()) { //UNDERTOW-432 don't return non directories if the path ends with a / return null; + } else if(path.endsWith(".")) { + return null; } boolean isSymlinkPath = isSymlinkPath(base, file); if (isSymlinkPath) { diff --git a/core/src/main/java/io/undertow/server/handlers/resource/ResourceHandler.java b/core/src/main/java/io/undertow/server/handlers/resource/ResourceHandler.java --- a/core/src/main/java/io/undertow/server/handlers/resource/ResourceHandler.java +++ b/core/src/main/java/io/undertow/server/handlers/resource/ResourceHandler.java @@ -208,6 +208,10 @@ public class ResourceHandler implements HttpHandler { exchange.setResponseCode(404); exchange.endExchange(); return; + } else if(exchange.getRelativePath().endsWith(".")) { + exchange.setResponseCode(404); + exchange.endExchange(); + return; } final ETag etag = resource.getETag(); diff --git a/servlet/src/main/java/io/undertow/servlet/handlers/DefaultServlet.java b/servlet/src/main/java/io/undertow/servlet/handlers/DefaultServlet.java --- a/servlet/src/main/java/io/undertow/servlet/handlers/DefaultServlet.java +++ b/servlet/src/main/java/io/undertow/servlet/handlers/DefaultServlet.java @@ -172,6 +172,9 @@ public class DefaultServlet extends HttpServlet { //UNDERTOW-432 resp.sendError(404); return; + } else if(path.endsWith(".")) { + resp.sendError(404); + return; } serveFileBlocking(req, resp, resource); }

Note the similarity that this workaround shares with the resolution of WFLY-4595 (which was implemented by commit 4c330e2ac8a3694bfc6196e7b38ba8a426f96f8c of the 1.2.x branch of the git repository ssh://git@github.com/undertow-io/undertow where it has been called UNDERTOW-432).

This workaround does however forbid any serving of files that actually have a period in the end of file name, why this is perhaps not a solution but only a workaround.
Show
Applying the following changes to undertow addresses this: undertow$ git diff diff --git a/core/src/main/java/io/undertow/server/handlers/resource/FileResourceManager.java b/core/src/main/java/io/undertow/server/handlers/resource/FileResourceManager.java --- a/core/src/main/java/io/undertow/server/handlers/resource/FileResourceManager.java +++ b/core/src/main/java/io/undertow/server/handlers/resource/FileResourceManager.java @@ -135,6 +135,8 @@ public class FileResourceManager implements ResourceManager { if (path.endsWith( "/" ) && ! file.isDirectory()) { //UNDERTOW-432 don't return non directories if the path ends with a / return null ; + } else if (path.endsWith( "." )) { + return null ; } boolean isSymlinkPath = isSymlinkPath(base, file); if (isSymlinkPath) { diff --git a/core/src/main/java/io/undertow/server/handlers/resource/ResourceHandler.java b/core/src/main/java/io/undertow/server/handlers/resource/ResourceHandler.java --- a/core/src/main/java/io/undertow/server/handlers/resource/ResourceHandler.java +++ b/core/src/main/java/io/undertow/server/handlers/resource/ResourceHandler.java @@ -208,6 +208,10 @@ public class ResourceHandler implements HttpHandler { exchange.setResponseCode(404); exchange.endExchange(); return ; + } else if (exchange.getRelativePath().endsWith( "." )) { + exchange.setResponseCode(404); + exchange.endExchange(); + return ; } final ETag etag = resource.getETag(); diff --git a/servlet/src/main/java/io/undertow/servlet/handlers/DefaultServlet.java b/servlet/src/main/java/io/undertow/servlet/handlers/DefaultServlet.java --- a/servlet/src/main/java/io/undertow/servlet/handlers/DefaultServlet.java +++ b/servlet/src/main/java/io/undertow/servlet/handlers/DefaultServlet.java @@ -172,6 +172,9 @@ public class DefaultServlet extends HttpServlet { //UNDERTOW-432 resp.sendError(404); return ; + } else if (path.endsWith( "." )) { + resp.sendError(404); + return ; } serveFileBlocking(req, resp, resource); } Note the similarity that this workaround shares with the resolution of WFLY-4595 (which was implemented by commit 4c330e2ac8a3694bfc6196e7b38ba8a426f96f8c of the 1.2.x branch of the git repository ssh://git@github.com/undertow-io/undertow where it has been called UNDERTOW-432). This workaround does however forbid any serving of files that actually have a period in the end of file name, why this is perhaps not a solution but only a workaround.

All of the following requests will return the jsp file content untransformed, meaning that the actual content of the jsp-file is returned to the browser.

http://localhost:8080/application/HostPage.jsp%2E
http://localhost:8080/application/HostPage.jsp%2E%2E
http://localhost:8080/application/HostPage.jsp%20%2E
http://localhost:8080/application/HostPage.jsp%20%2E%2E

The problem with periods has perhaps to do with windows removing/accepting trailing periods in file names: here, and here because io.undertow.server.handlers.resource.FileResourceManager.getResource() delegates to java.io.File to test whether a file path is valid or not, and java.io.File does presumably delegate to Windows.

is related to

WFLY-4595 JSP source code leak when a slash added at the end of the URL

Closed

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates