From d2e68cdb39c92e131626b88f6a472d7d84f698d4 Mon Sep 17 00:00:00 2001 From: Tomer Cohen Date: Mon, 15 Aug 2016 15:15:10 +0300 Subject: [PATCH] Never expose user.dir to the web on directory listing Motivation: When Netty HTTP Static File Server does directory listing, it does expose the user.dir environment variable to the user. Although it doesn't a security issue, it is a bad practice to show it, and the user does expect to see the server virtual root instead, which is the absolute path as mentioned in the RFC. Modifications: the sendListing method receives a third argument, which is the requested URI, and this is what should be displayed on the page instead of the filesystem path. Result: The directory listing pages will show the virtual path as described in the URI and not the real filesystem path. Removed fallback method --- .../netty/example/http/file/HttpStaticFileServerHandler.java | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/example/src/main/java/io/netty/example/http/file/HttpStaticFileServerHandler.java b/example/src/main/java/io/netty/example/http/file/HttpStaticFileServerHandler.java index 9236ded922..c88ce9af45 100644 --- a/example/src/main/java/io/netty/example/http/file/HttpStaticFileServerHandler.java +++ b/example/src/main/java/io/netty/example/http/file/HttpStaticFileServerHandler.java @@ -136,7 +136,7 @@ public class HttpStaticFileServerHandler extends SimpleChannelInboundHandler\r\n") .append("")