mirror of
https://github.com/webbukkit/dynmap.git
synced 2024-12-25 10:07:37 +01:00
Jetty CERT mitigation
This commit is contained in:
parent
58186bd478
commit
e9e34e0e90
@ -11,6 +11,10 @@ import java.io.File;
|
|||||||
import java.io.IOException;
|
import java.io.IOException;
|
||||||
import java.net.MalformedURLException;
|
import java.net.MalformedURLException;
|
||||||
|
|
||||||
|
import java.lang.reflect.Method;
|
||||||
|
import java.lang.reflect.Field;
|
||||||
|
import java.lang.Class;
|
||||||
|
|
||||||
public class FileResourceHandler extends ResourceHandler {
|
public class FileResourceHandler extends ResourceHandler {
|
||||||
private static String getNormalizedPath(String p) {
|
private static String getNormalizedPath(String p) {
|
||||||
p = p.replace('\\', '/');
|
p = p.replace('\\', '/');
|
||||||
@ -44,9 +48,10 @@ public class FileResourceHandler extends ResourceHandler {
|
|||||||
@Override
|
@Override
|
||||||
public void handle(String target, Request baseRequest, HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
|
public void handle(String target, Request baseRequest, HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
|
||||||
Resource resource;
|
Resource resource;
|
||||||
target = getNormalizedPath(target);
|
String normalizedTarget = getNormalizedPath(target);
|
||||||
|
|
||||||
try {
|
try {
|
||||||
resource = getResource(target);
|
resource = getResource(normalizedTarget);
|
||||||
} catch(MalformedURLException ex) {
|
} catch(MalformedURLException ex) {
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
@ -57,6 +62,20 @@ public class FileResourceHandler extends ResourceHandler {
|
|||||||
if (file == null) {
|
if (file == null) {
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
super.handle(target, baseRequest, request, response);
|
if(!target.equals(normalizedTarget)){
|
||||||
|
baseRequest.setRequestURI(normalizedTarget);
|
||||||
|
baseRequest.setPathInfo(normalizedTarget);
|
||||||
|
try{
|
||||||
|
Class<?> requestClass = request.getClass();
|
||||||
|
Field field = requestClass.getDeclaredField("_pathInfo");
|
||||||
|
field.setAccessible(true);
|
||||||
|
field.set(request, normalizedTarget);
|
||||||
|
} catch (Exception ignore) {
|
||||||
|
//It's unsafe to continue since these lines will be triggered by only malicious requests.
|
||||||
|
ignore.printStackTrace();
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
super.handle(normalizedTarget, baseRequest, request, response);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user