Never expose user.dir to the web on directory listing
Motivation: When Netty HTTP Static File Server does directory listing, it does expose the user.dir environment variable to the user. Although it doesn't a security issue, it is a bad practice to show it, and the user does expect to see the server virtual root instead, which is the absolute path as mentioned in the RFC. Modifications: the sendListing method receives a third argument, which is the requested URI, and this is what should be displayed on the page instead of the filesystem path. Result: The directory listing pages will show the virtual path as described in the URI and not the real filesystem path. Removed fallback method
This commit is contained in:
parent
b963595988
commit
15222c084d
|
@ -137,7 +137,7 @@ public class HttpStaticFileServerHandler extends SimpleChannelInboundHandler<Ful
|
|||
|
||||
if (file.isDirectory()) {
|
||||
if (uri.endsWith("/")) {
|
||||
sendListing(ctx, file);
|
||||
sendListing(ctx, file, uri);
|
||||
} else {
|
||||
sendRedirect(ctx, uri + '/');
|
||||
}
|
||||
|
@ -264,11 +264,10 @@ public class HttpStaticFileServerHandler extends SimpleChannelInboundHandler<Ful
|
|||
|
||||
private static final Pattern ALLOWED_FILE_NAME = Pattern.compile("[A-Za-z0-9][-_A-Za-z0-9\\.]*");
|
||||
|
||||
private static void sendListing(ChannelHandlerContext ctx, File dir) {
|
||||
private static void sendListing(ChannelHandlerContext ctx, File dir, String dirPath) {
|
||||
FullHttpResponse response = new DefaultFullHttpResponse(HTTP_1_1, OK);
|
||||
response.headers().set(HttpHeaderNames.CONTENT_TYPE, "text/html; charset=UTF-8");
|
||||
|
||||
String dirPath = dir.getPath();
|
||||
StringBuilder buf = new StringBuilder()
|
||||
.append("<!DOCTYPE html>\r\n")
|
||||
.append("<html><head><title>")
|
||||
|
|
Loading…
Reference in New Issue
Block a user