Skip to content

Commit d9d891b

Browse files
fl4viafl4via
authored
Merge pull request #1407 from fl4via/UNDERTOW-2186-master
[UNDERTOW-2186] allow WEB-INF or META-INF subdirectory access
2 parents d24d91f + 990a80a commit d9d891b

File tree

4 files changed

+27
-1
lines changed

4 files changed

+27
-1
lines changed

servlet/src/main/java/io/undertow/servlet/handlers/Paths.java

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -35,7 +35,7 @@ private Paths() {
3535
static boolean isForbidden(final String path) {
3636
final StringTokenizer st = new StringTokenizer(path, "/\\", false);
3737
String subPath;
38-
while (st.hasMoreTokens()) {
38+
if (st.hasMoreTokens()) {
3939
subPath = st.nextToken();
4040
if (META_INF.equalsIgnoreCase(subPath) || WEB_INF.equalsIgnoreCase(subPath)) {
4141
return true;

servlet/src/test/java/io/undertow/servlet/test/defaultservlet/DefaultServletTestCase.java

Lines changed: 24 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -273,6 +273,30 @@ public void testNoAccessToMetaInfResource() throws IOException {
273273
}
274274
}
275275

276+
@Test
277+
public void testAccessToMetaInfSubDirResource() throws IOException {
278+
TestHttpClient client = new TestHttpClient();
279+
try {
280+
HttpGet get = new HttpGet(DefaultServer.getDefaultServerURL() + "/servletContext/foo/meta-inf/notsecret");
281+
HttpResponse result = client.execute(get);
282+
Assert.assertEquals(StatusCodes.OK, result.getStatusLine().getStatusCode());
283+
} finally {
284+
client.getConnectionManager().shutdown();
285+
}
286+
}
287+
288+
@Test
289+
public void testAccessToWebInfSubDirResource() throws IOException {
290+
TestHttpClient client = new TestHttpClient();
291+
try {
292+
HttpGet get = new HttpGet(DefaultServer.getDefaultServerURL() + "/servletContext/foo/web-inf/notsecret");
293+
HttpResponse result = client.execute(get);
294+
Assert.assertEquals(StatusCodes.OK, result.getStatusLine().getStatusCode());
295+
} finally {
296+
client.getConnectionManager().shutdown();
297+
}
298+
}
299+
276300
@Test
277301
public void testDirectoryListing() throws IOException {
278302
TestHttpClient client = new TestHttpClient();

servlet/src/test/java/io/undertow/servlet/test/defaultservlet/foo/meta-inf/notsecret

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
not confidential

servlet/src/test/java/io/undertow/servlet/test/defaultservlet/foo/web-inf/notsecret

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
not confidential

0 commit comments

Comments
 (0)