mirror of
https://github.com/spring-projects/spring-boot.git
synced 2024-07-15 01:07:30 +08:00
Prevent Undertow from exposing classpath files
Update `UndertowEmbeddedServletContainerFactory` so that the `ClassPathResourceManager` is no longer registered by default. Prior to this commit the resource manager would be registered whenever a valid document root could not be found. This had the effect of exposing all classpath files. Fixes gh-4015
This commit is contained in:
parent
56643222cf
commit
c804299c8d
@ -56,7 +56,6 @@ import org.xnio.SslClientAuthMode;
|
||||
import io.undertow.Undertow;
|
||||
import io.undertow.Undertow.Builder;
|
||||
import io.undertow.UndertowMessages;
|
||||
import io.undertow.server.handlers.resource.ClassPathResourceManager;
|
||||
import io.undertow.server.handlers.resource.FileResourceManager;
|
||||
import io.undertow.server.handlers.resource.Resource;
|
||||
import io.undertow.server.handlers.resource.ResourceChangeListener;
|
||||
@ -370,10 +369,7 @@ public class UndertowEmbeddedServletContainerFactory
|
||||
if (root != null && root.isFile()) {
|
||||
return new JarResourcemanager(root);
|
||||
}
|
||||
if (this.resourceLoader != null) {
|
||||
return new ClassPathResourceManager(this.resourceLoader.getClassLoader(), "");
|
||||
}
|
||||
return new ClassPathResourceManager(getClass().getClassLoader(), "");
|
||||
return ResourceManager.EMPTY_RESOURCE_MANAGER;
|
||||
}
|
||||
|
||||
private void configureErrorPages(DeploymentInfo servletBuilder) {
|
||||
|
@ -482,6 +482,17 @@ public abstract class AbstractEmbeddedServletContainerFactoryTests {
|
||||
equalTo("test"));
|
||||
}
|
||||
|
||||
@Test
|
||||
public void cannotReadClassPathFiles() throws Exception {
|
||||
AbstractEmbeddedServletContainerFactory factory = getFactory();
|
||||
this.container = factory
|
||||
.getEmbeddedServletContainer(exampleServletRegistration());
|
||||
this.container.start();
|
||||
ClientHttpResponse response = getClientResponse(
|
||||
getLocalUrl("/org/springframework/boot/SpringApplication.class"));
|
||||
assertThat(response.getStatusCode(), equalTo(HttpStatus.NOT_FOUND));
|
||||
}
|
||||
|
||||
private Ssl getSsl(ClientAuth clientAuth, String keyPassword, String keyStore) {
|
||||
return getSsl(clientAuth, keyPassword, keyStore, null);
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user