is a Java framework binding Vaadin web components to Java.
| HandlerHelper.java (vaadin-flow-4.0.5) | : | HandlerHelper.java (vaadin-flow-4.0.6) |
|---|
| | |
| skipping to change at line 19 | | skipping to change at line 19 |
|---|
| * | | * |
| * Unless required by applicable law or agreed to in writing, software | | * Unless required by applicable law or agreed to in writing, software |
| * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT | | * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT |
| * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the | | * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the |
| * License for the specific language governing permissions and limitations under | | * License for the specific language governing permissions and limitations under |
| * the License. | | * the License. |
| */ | | */ |
| package com.vaadin.flow.server; | | package com.vaadin.flow.server; |
| | |
| import java.io.Serializable; | | import java.io.Serializable; |
|
| | import java.io.UnsupportedEncodingException; |
| | import java.net.URLDecoder; |
| | import java.nio.charset.StandardCharsets; |
| import java.util.Locale; | | import java.util.Locale; |
| import java.util.function.BiConsumer; | | import java.util.function.BiConsumer; |
|
| | import java.util.regex.Pattern; |
| | |
| import com.vaadin.flow.component.UI; | | import com.vaadin.flow.component.UI; |
| import com.vaadin.flow.shared.ApplicationConstants; | | import com.vaadin.flow.shared.ApplicationConstants; |
| | |
| /** | | /** |
| * Contains helper methods for {@link VaadinServlet} and generally for handling | | * Contains helper methods for {@link VaadinServlet} and generally for handling |
| * {@link VaadinRequest VaadinRequests}. | | * {@link VaadinRequest VaadinRequests}. |
| * | | * |
| * @since 1.0 | | * @since 1.0 |
| */ | | */ |
| public class HandlerHelper implements Serializable { | | public class HandlerHelper implements Serializable { |
| | |
| /** | | /** |
| * The default SystemMessages (read-only). | | * The default SystemMessages (read-only). |
| */ | | */ |
| static final SystemMessages DEFAULT_SYSTEM_MESSAGES = new SystemMessages(); | | static final SystemMessages DEFAULT_SYSTEM_MESSAGES = new SystemMessages(); |
| | |
| /** | | /** |
|
| | * The pattern of error message shown when the URL path contains unsafe |
| | * double encoding. |
| | */ |
| | static final String UNSAFE_PATH_ERROR_MESSAGE_PATTERN = "Blocked attempt to |
| | access file: {}"; |
| | |
| | private static final Pattern PARENT_DIRECTORY_REGEX = Pattern |
| | .compile("(/|\\\\)\\.\\.(/|\\\\)?", Pattern.CASE_INSENSITIVE); |
| | |
| | /** |
| * Framework internal enum for tracking the type of a request. | | * Framework internal enum for tracking the type of a request. |
| */ | | */ |
| public enum RequestType { | | public enum RequestType { |
| | |
| /** | | /** |
| * INIT requests. | | * INIT requests. |
| */ | | */ |
| INIT(ApplicationConstants.REQUEST_TYPE_INIT), | | INIT(ApplicationConstants.REQUEST_TYPE_INIT), |
| | |
| /** | | /** |
| | |
| skipping to change at line 179 | | skipping to change at line 192 |
|---|
| StringBuilder sb = new StringBuilder("."); | | StringBuilder sb = new StringBuilder("."); |
| // Start from i = 1 to ignore first slash | | // Start from i = 1 to ignore first slash |
| for (int i = 1; i < pathToCancel.length(); i++) { | | for (int i = 1; i < pathToCancel.length(); i++) { |
| if (pathToCancel.charAt(i) == '/') { | | if (pathToCancel.charAt(i) == '/') { |
| sb.append("/.."); | | sb.append("/.."); |
| } | | } |
| } | | } |
| return sb.toString(); | | return sb.toString(); |
| } | | } |
| | |
|
| | /** |
| | * Checks if the given URL path contains the directory change instruction |
| | * (dot-dot), taking into account possible double encoding in hexadecimal |
| | * format, which can be injected maliciously. |
| | * |
| | * @param path |
| | * the URL path to be verified. |
| | * @return {@code true}, if the given path has a directory change |
| | * instruction, {@code false} otherwise. |
| | */ |
| | static boolean isPathUnsafe(String path) { |
| | // Check that the path does not have '/../', '\..\', %5C..%5C, |
| | // %2F..%2F, nor '/..', '\..', %5C.., %2F.. |
| | try { |
| | path = URLDecoder.decode(path, StandardCharsets.UTF_8.name()); |
| | } catch (UnsupportedEncodingException e) { |
| | throw new RuntimeException("An error occurred during decoding URL.", |
| | e); |
| | } |
| | return PARENT_DIRECTORY_REGEX.matcher(path).find(); |
| | } |
| | |
| } | | } |
| | | |
| End of changes. 4 change blocks. |
|---|
| 0 lines changed or deleted | | 36 lines changed or added |
|---|
"Fossies" - the Fresh Open Source Software Archive 