Never expose user.dir to the web on directory listing

Motivation:

When Netty HTTP Static File Server does directory listing, it does expose the user.dir environment variable to the user. Although it doesn't a security issue, it is a bad practice to show it, and the user does expect to see the server virtual root instead, which is the absolute path as mentioned in the RFC.

Modifications:

the sendListing method receives a third argument, which is the requested URI, and this is what should be displayed on the page instead of the filesystem path.

Result:

The directory listing pages will show the virtual path as described in the URI and not the real filesystem path.

Removed fallback method
This commit is contained in:
Tomer Cohen 2016-08-15 15:15:10 +03:00 committed by Norman Maurer
parent b963595988
commit 15222c084d

View File

@ -137,7 +137,7 @@ public class HttpStaticFileServerHandler extends SimpleChannelInboundHandler<Ful
if (file.isDirectory()) {
if (uri.endsWith("/")) {
sendListing(ctx, file);
sendListing(ctx, file, uri);
} else {
sendRedirect(ctx, uri + '/');
}
@ -264,11 +264,10 @@ public class HttpStaticFileServerHandler extends SimpleChannelInboundHandler<Ful
private static final Pattern ALLOWED_FILE_NAME = Pattern.compile("[A-Za-z0-9][-_A-Za-z0-9\\.]*");
private static void sendListing(ChannelHandlerContext ctx, File dir) {
private static void sendListing(ChannelHandlerContext ctx, File dir, String dirPath) {
FullHttpResponse response = new DefaultFullHttpResponse(HTTP_1_1, OK);
response.headers().set(HttpHeaderNames.CONTENT_TYPE, "text/html; charset=UTF-8");
String dirPath = dir.getPath();
StringBuilder buf = new StringBuilder()
.append("<!DOCTYPE html>\r\n")
.append("<html><head><title>")