RFR: 8245095: Implementation of JEP 408: Simple Web Server [v4]
jboes at openjdk.java.net
Tue Sep 21 14:17:36 UTC 2021
On Mon, 20 Sep 2021 16:16:10 GMT, Daniel Fuchs <dfuchs at openjdk.org> wrote:
>> src/jdk.httpserver/share/classes/sun/net/httpserver/simpleserver/FileServerHandler.java line 340:
>>> 338: }
>>> 339: }
>>> 340: return false;
>> This will start checking from the root of the file system. I believe we want to start checking from the root of the FileServerHandler, root excluded.
> Maybe these checks should be made in `mapToPath` instead since you already walk the path there - and IIRC returning null from `mapToPath` will cause HTTP 404.
Agreed. I refactored the handler to check `!isReadable`, `isHidden` and `isSymbolicLink` for each path segment from the root, excluding the root itself. If any of these conditions is met, a 404 response is sent. A generic 404 response for hides potentially revealing information. The checks are repeated in handle() on line 375, let's keep them in there for reassurance.
More information about the core-libs-dev