Improve alias checking in PathResource #6473
Labels
Comments
gregw
changed the title
lachlan-roberts
added a commit
that referenced
this issue
Jun 27, 2021
Signed-off-by: Lachlan Roberts <lachlan@webtide.com>
lachlan-roberts
added a commit
that referenced
this issue
Jun 28, 2021
Signed-off-by: Lachlan Roberts <lachlan@webtide.com>
gregw
added a commit
that referenced
this issue
Jun 28, 2021
#6474) Reduce multiple canonicalPath calls with single alias check in PathResource Revert to decoding and the normalizing URLs so that subsequent canonicalPath calls are noops. Co-authored-by: Lachlan Roberts <lachlan@webtide.com>
sbordet
added a commit
that referenced
this issue
Jun 28, 2021
* Reverted %-escape handling for URI query parts. * Performing canonicalization in ServletContext.getResource(), and improving alias checking in ContextHandler.getResource(). * Performing canonicalization checks in Resource.addPath() to avoid navigation above of the root. * Test added and fixed. * Various cleanups. Signed-off-by: Simone Bordet <simone.bordet@gmail.com>
lachlan-roberts
added a commit
that referenced
this issue
Jun 29, 2021
Signed-off-by: Lachlan Roberts <lachlan@webtide.com>
gregw
pushed a commit
that referenced
this issue
Jun 29, 2021
* Reverted %-escape handling for URI query parts. * Performing canonicalization in ServletContext.getResource(), and improving alias checking in ContextHandler.getResource(). * Performing canonicalization checks in Resource.addPath() to avoid navigation above of the root. * Test added and fixed. * Various cleanups. * Improved javadoc and comments Signed-off-by: Simone Bordet <simone.bordet@gmail.com>
lachlan-roberts
pushed a commit
that referenced
this issue
Jun 29, 2021
* Reverted %-escape handling for URI query parts. * Performing canonicalization in ServletContext.getResource(), and improving alias checking in ContextHandler.getResource(). * Performing canonicalization checks in Resource.addPath() to avoid navigation above of the root. * Test added and fixed. * Various cleanups. * Improved javadoc and comments Signed-off-by: Simone Bordet <simone.bordet@gmail.com>
This was referenced Jun 29, 2021
sbordet
added a commit
that referenced
this issue
Jun 29, 2021
* Issue #6473 - Improve alias checking in PathResource. * Reverted %-escape handling for URI query parts. * Performing canonicalization in ServletContext.getResource(), and improving alias checking in ContextHandler.getResource(). * Performing canonicalization checks in Resource.addPath() to avoid navigation above of the root. * Test added and fixed. * Various cleanups. * Improved javadoc and comments Signed-off-by: Simone Bordet <simone.bordet@gmail.com> Co-authored-by: Greg Wilkins <gregw@webtide.com>
sbordet
pushed a commit
that referenced
this issue
Jun 29, 2021
…e (Jetty-10) (#6478) Issue #6473 - canonicalPath refactor & fix alias check in PathResource * Reverted %-escape handling for URI query parts. * Performing canonicalization in ServletContext.getResource(), and improving alias checking in ContextHandler.getResource(). * Performing canonicalization checks in Resource.addPath() to avoid navigation above of the root. * Test added and fixed. * Various cleanups. * Improved javadoc and comments * Compliance mode HttpURI uses UriCompliance.Violation Signed-off-by: Lachlan Roberts <lachlan@webtide.com> Signed-off-by: Simone Bordet <simone.bordet@gmail.com> Co-authored-by: Greg Wilkins <gregw@webtide.com>
|
This is done in both the 9.4.43 project and the 10.0.6/11.0.6 project so I think this issue can be closed. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Target Jetty version(s)
9.10,11
Enhancement Description
Currently multiple calls to canonicalPath are done, which is inefficient repeat scanning. Include normalization in alias checks, as was previously done in FileResource, so that only a single normalization pass is needed.
The text was updated successfully, but these errors were encountered: