/** * Prevent the client from accessing resources in upper directories */ public void preventUpperDirectoryAccess() { String targetUriPath = new Reference(Reference.decode(targetUri)) .normalize() .toString(); if (!targetUriPath.startsWith(directory.getRootRef().toString())) { throw new ResourceException(Status.CLIENT_ERROR_FORBIDDEN); } }
public synchronized ContextResourceClient newClient( String relativePath ) { if( relativePath.startsWith( "http://" ) ) { return contextResourceFactory.newClient( new Reference( relativePath ) ); } Reference reference = this.reference.clone(); if( relativePath.startsWith( "/" ) ) { reference.setPath( relativePath ); } else { reference.setPath( reference.getPath() + relativePath ); reference = reference.normalize(); } return contextResourceFactory.newClient( reference ); }
/** * Handles a call. Note that this implementation will systematically * normalize and URI-decode the resource reference. * * @param request * The request to handle. * @param response * The response to update. */ @Override public final void handle(Request request, Response response) { // Ensure that all ".." and "." are normalized into the path // to prevent unauthorized access to user directories. request.getResourceRef().normalize(); // As the path may be percent-encoded, it has to be percent-decoded. // Then, all generated URIs must be encoded. String path = request.getResourceRef().getPath(); String decodedPath = Reference.decode(path); if (decodedPath != null) { // Continue the local handling handleLocal(request, response, decodedPath); } else { getLogger().warning( "Unable to get the path of this local URI: " + request.getResourceRef()); } }
result.normalize();
.normalize() .toString(false, false); if (!this.targetUri.startsWith(directory.getRootRef().toString())) {