RFR: 8245095: Implementation of JEP 408: Simple Web Server [v4]

Julia Boes jboes at openjdk.java.net
Tue Sep 21 14:17:36 UTC 2021

On Mon, 20 Sep 2021 16:16:10 GMT, Daniel Fuchs <dfuchs at openjdk.org> wrote:

>> src/jdk.httpserver/share/classes/sun/net/httpserver/simpleserver/FileServerHandler.java line 340:
>>> 338:                 }
>>> 339:             }
>>> 340:             return false;
>> This will start checking from the root of the file system. I believe we want to start checking from the root of the FileServerHandler, root excluded.
> Maybe these checks should be made in `mapToPath` instead since you already walk the path there - and IIRC returning null from `mapToPath` will cause HTTP 404.

Agreed. I refactored the handler to check `!isReadable`, `isHidden` and `isSymbolicLink` for each path segment from the root, excluding the root itself. If any of these conditions is met, a 404 response is sent. A generic 404 response for hides potentially revealing information. The checks are repeated in handle() on line 375, let's keep them in there for reassurance.


PR: https://git.openjdk.java.net/jdk/pull/5505

More information about the core-libs-dev mailing list