Issue #6497 - do not allow file separator chars other than / in alias…

… uri Signed-off-by: Lachlan Roberts <lachlan@webtide.com>
jetty · Oct 12, 2021 · 401472f · 401472f
1 parent 7f94ec6
commit 401472f
Showing 1 changed file with 5 additions and 0 deletions.
diff --git a/jetty-server/src/main/java/org/eclipse/jetty/server/SameFileAliasChecker.java b/jetty-server/src/main/java/org/eclipse/jetty/server/SameFileAliasChecker.java
@@ -18,6 +18,7 @@
 
 package org.eclipse.jetty.server;
 
+import java.io.File;
 import java.io.IOException;
 import java.nio.file.Files;
 import java.nio.file.Path;
@@ -54,6 +55,10 @@ public class SameFileAliasChecker implements AliasCheck
     @Override
     public boolean check(String uri, Resource resource)
     {
+        // Do not allow any file separation characters in the URI.
+        if (File.separatorChar != '/' && uri.indexOf(File.separatorChar) >= 0)
+            return false;
+
         // Only support PathResource alias checking
         if (!(resource instanceof PathResource))
             return false;