From 32bff7744eeb2106fc2c1b5a490e40b905bbdfc6 Mon Sep 17 00:00:00 2001 From: Lachlan Roberts Date: Fri, 30 Jul 2021 16:44:55 +1000 Subject: [PATCH] Issue #6497 - Fix AllowedResourceAliasChecker if protectedTarget does not exist Signed-off-by: Lachlan Roberts --- .../jetty/server/AllowedResourceAliasChecker.java | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/jetty-server/src/main/java/org/eclipse/jetty/server/AllowedResourceAliasChecker.java b/jetty-server/src/main/java/org/eclipse/jetty/server/AllowedResourceAliasChecker.java index 343bec0138d0..14a7f138ae6a 100644 --- a/jetty-server/src/main/java/org/eclipse/jetty/server/AllowedResourceAliasChecker.java +++ b/jetty-server/src/main/java/org/eclipse/jetty/server/AllowedResourceAliasChecker.java @@ -84,7 +84,7 @@ protected void doStart() throws Exception { for (String s : protectedTargets) { - _protectedPaths.add(_basePath.resolve(s)); + _protectedPaths.add(new File(_basePath.toFile(), s).toPath()); } } } @@ -155,12 +155,15 @@ protected boolean isProtectedPath(Path resourcePath, LinkOption[] linkOptions) t for (Path protectedPath : _protectedPaths) { - // We know the targetPath exists, so if protectedPath doesn't exist then targetPath cannot be a child of it. - if (!Files.exists(protectedPath, linkOptions)) - continue; + String protect; + if (Files.exists(protectedPath, linkOptions)) + protect = protectedPath.toRealPath(linkOptions).toString(); + else if (linkOptions == NO_FOLLOW_LINKS) + protect = protectedPath.normalize().toAbsolutePath().toString(); + else + protect = protectedPath.toFile().getCanonicalPath(); // If the target path is protected then we will not allow it. - String protect = protectedPath.toRealPath(linkOptions).toString(); if (StringUtil.startsWithIgnoreCase(target, protect)) { if (target.length() == protect.length())