From e975dbe3f04371a1463437db56dda012bbb958c6 Mon Sep 17 00:00:00 2001
From: Phillip Webb <pwebb@pivotal.io>
Date: Fri, 16 Mar 2018 11:56:34 -0700
Subject: [PATCH] Only use jar shortcut for matching URLs

Update JAR `Handler` logic so that the existing `jarFile` is only used
if the requested URL starts with the same path. Prior to this commit it
was possible to construct a URL with another URL as context. This could
mean that the `handler` was shared and the already resolved `jarFile`
contained in the handler wasn't necessarily suitable.

Fixes gh-12483
---
 .../boot/loader/jar/Handler.java              |  3 ++-
 .../boot/loader/jar/JarFileTests.java         | 20 +++++++++++++++++++
 2 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/spring-boot-tools/spring-boot-loader/src/main/java/org/springframework/boot/loader/jar/Handler.java b/spring-boot-tools/spring-boot-loader/src/main/java/org/springframework/boot/loader/jar/Handler.java
index 991309413b4..3d93b430619 100644
--- a/spring-boot-tools/spring-boot-loader/src/main/java/org/springframework/boot/loader/jar/Handler.java
+++ b/spring-boot-tools/spring-boot-loader/src/main/java/org/springframework/boot/loader/jar/Handler.java
@@ -92,7 +92,8 @@ public class Handler extends URLStreamHandler {
 
 	@Override
 	protected URLConnection openConnection(URL url) throws IOException {
-		if (this.jarFile != null) {
+		if (this.jarFile != null
+				&& url.toString().startsWith(this.jarFile.getUrl().toString())) {
 			return JarURLConnection.get(url, this.jarFile);
 		}
 		try {
diff --git a/spring-boot-tools/spring-boot-loader/src/test/java/org/springframework/boot/loader/jar/JarFileTests.java b/spring-boot-tools/spring-boot-loader/src/test/java/org/springframework/boot/loader/jar/JarFileTests.java
index e4466b8b47d..6cff3ec742e 100644
--- a/spring-boot-tools/spring-boot-loader/src/test/java/org/springframework/boot/loader/jar/JarFileTests.java
+++ b/spring-boot-tools/spring-boot-loader/src/test/java/org/springframework/boot/loader/jar/JarFileTests.java
@@ -485,4 +485,24 @@ public class JarFileTests {
 		assertThat(temp.delete()).isTrue();
 	}
 
+	@Test
+	public void createUrlFromStringWithContextWhenNotFound() throws Exception {
+		// gh-12483
+		JarURLConnection.setUseFastExceptions(true);
+		try {
+			JarFile.registerUrlProtocolHandler();
+			JarFile nested = this.jarFile
+					.getNestedJarFile(this.jarFile.getEntry("nested.jar"));
+			URL context = nested.getUrl();
+			new URL(context, "jar:" + this.rootJarFile.toURI() + "!/nested.jar!/3.dat")
+					.openConnection().getInputStream().close();
+			this.thrown.expect(FileNotFoundException.class);
+			new URL(context, "jar:" + this.rootJarFile.toURI() + "!/no.dat")
+					.openConnection().getInputStream().close();
+		}
+		finally {
+			JarURLConnection.setUseFastExceptions(false);
+		}
+	}
+
 }