You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This only affects *nix OS's and will only serve files from the web root, but it potentially exposes the full path to the web root to a user who can guess the path.
That URL above works because the path /Users/brad/Projects/mySite/css/fontawesome.css is a real absolute path on the file system. However, it should not work. The mapped resource manager allows this because it strips off the cfmlDirsFile path from the start and determines that path lives within a content path we're serving files from. That may make sense in some internal uses cases but not from the URL. I'm unclear on whether the getResource() method of a io.undertow.server.handlers.resource.ResourceManager always gets relative paths, or needs to account for absolute paths as well.
The text was updated successfully, but these errors were encountered:
This only affects *nix OS's and will only serve files from the web root, but it potentially exposes the full path to the web root to a user who can guess the path.
That URL above works because the path
/Users/brad/Projects/mySite/css/fontawesome.cssis a real absolute path on the file system. However, it should not work. The mapped resource manager allows this because it strips off the cfmlDirsFile path from the start and determines that path lives within a content path we're serving files from. That may make sense in some internal uses cases but not from the URL. I'm unclear on whether thegetResource()method of aio.undertow.server.handlers.resource.ResourceManageralways gets relative paths, or needs to account for absolute paths as well.The text was updated successfully, but these errors were encountered: