"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "flow-server/src/main/java/com/vaadin/flow/server/HandlerHelper.java" between
vaadin-flow-4.0.5.tar.gz and vaadin-flow-4.0.6.tar.gz

About: Vaadin flow is a Java framework binding Vaadin web components to Java.

HandlerHelper.java  (vaadin-flow-4.0.5):HandlerHelper.java  (vaadin-flow-4.0.6)
skipping to change at line 19 skipping to change at line 19
* *
* Unless required by applicable law or agreed to in writing, software * Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
* License for the specific language governing permissions and limitations under * License for the specific language governing permissions and limitations under
* the License. * the License.
*/ */
package com.vaadin.flow.server; package com.vaadin.flow.server;
import java.io.Serializable; import java.io.Serializable;
import java.io.UnsupportedEncodingException;
import java.net.URLDecoder;
import java.nio.charset.StandardCharsets;
import java.util.Locale; import java.util.Locale;
import java.util.function.BiConsumer; import java.util.function.BiConsumer;
import java.util.regex.Pattern;
import com.vaadin.flow.component.UI; import com.vaadin.flow.component.UI;
import com.vaadin.flow.shared.ApplicationConstants; import com.vaadin.flow.shared.ApplicationConstants;
/** /**
* Contains helper methods for {@link VaadinServlet} and generally for handling * Contains helper methods for {@link VaadinServlet} and generally for handling
* {@link VaadinRequest VaadinRequests}. * {@link VaadinRequest VaadinRequests}.
* *
* @since 1.0 * @since 1.0
*/ */
public class HandlerHelper implements Serializable { public class HandlerHelper implements Serializable {
/** /**
* The default SystemMessages (read-only). * The default SystemMessages (read-only).
*/ */
static final SystemMessages DEFAULT_SYSTEM_MESSAGES = new SystemMessages(); static final SystemMessages DEFAULT_SYSTEM_MESSAGES = new SystemMessages();
/** /**
* The pattern of error message shown when the URL path contains unsafe
* double encoding.
*/
static final String UNSAFE_PATH_ERROR_MESSAGE_PATTERN = "Blocked attempt to
access file: {}";
private static final Pattern PARENT_DIRECTORY_REGEX = Pattern
.compile("(/|\\\\)\\.\\.(/|\\\\)?", Pattern.CASE_INSENSITIVE);
/**
* Framework internal enum for tracking the type of a request. * Framework internal enum for tracking the type of a request.
*/ */
public enum RequestType { public enum RequestType {
/** /**
* INIT requests. * INIT requests.
*/ */
INIT(ApplicationConstants.REQUEST_TYPE_INIT), INIT(ApplicationConstants.REQUEST_TYPE_INIT),
/** /**
skipping to change at line 179 skipping to change at line 192
StringBuilder sb = new StringBuilder("."); StringBuilder sb = new StringBuilder(".");
// Start from i = 1 to ignore first slash // Start from i = 1 to ignore first slash
for (int i = 1; i < pathToCancel.length(); i++) { for (int i = 1; i < pathToCancel.length(); i++) {
if (pathToCancel.charAt(i) == '/') { if (pathToCancel.charAt(i) == '/') {
sb.append("/.."); sb.append("/..");
} }
} }
return sb.toString(); return sb.toString();
} }
/**
* Checks if the given URL path contains the directory change instruction
* (dot-dot), taking into account possible double encoding in hexadecimal
* format, which can be injected maliciously.
*
* @param path
* the URL path to be verified.
* @return {@code true}, if the given path has a directory change
* instruction, {@code false} otherwise.
*/
static boolean isPathUnsafe(String path) {
// Check that the path does not have '/../', '\..\', %5C..%5C,
// %2F..%2F, nor '/..', '\..', %5C.., %2F..
try {
path = URLDecoder.decode(path, StandardCharsets.UTF_8.name());
} catch (UnsupportedEncodingException e) {
throw new RuntimeException("An error occurred during decoding URL.",
e);
}
return PARENT_DIRECTORY_REGEX.matcher(path).find();
}
} }
 End of changes. 4 change blocks. 
0 lines changed or deleted 36 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)