[
https://issues.redhat.com/browse/WFLY-14247?page=com.atlassian.jira.plugi...
]
Michal Petrov commented on WFLY-14247:
--------------------------------------
Undertow rejects certain requests straight-away, bypassing the custom error page.
It's because of this method in {{ServletInitialHandler}}
{code:java}
private boolean isForbiddenPath(String path) {
return path.equalsIgnoreCase("/meta-inf/")
|| path.regionMatches(true, 0, "/web-inf/", 0,
"/web-inf/".length());
}
{code}
So it will reject "/META-INF/" specifically and anything that starts with
"/WEB-INF/".
Allowed request then end up with {{DefaultServlet}} which has this method:
{code:java}
private boolean isAllowed(String path, DispatcherType dispatcherType) {
if (!path.isEmpty()) {
if(dispatcherType == DispatcherType.REQUEST) {
//WFLY-3543 allow the dispatcher to access stuff in web-inf and meta inf
if (path.startsWith("/META-INF") ||
path.startsWith("META-INF") ||
path.startsWith("/WEB-INF") ||
path.startsWith("WEB-INF")) {
return false;
}
}
}
…
}
{code}
[~flavia.rainone], do you know why there are two checks set up like this? And
shouldn't the first check still forward to the custom error page?
Error Page is not displayed when trying to access META-INF or
WEB-INF
---------------------------------------------------------------------
Key: WFLY-14247
URL:
https://issues.redhat.com/browse/WFLY-14247
Project: WildFly
Issue Type: Bug
Components: Web (Undertow)
Affects Versions: 21.0.2.Final
Reporter: Melvin Yam
Assignee: Flavia Rainone
Priority: Minor
Attachments: mywebapp.war
I have a simple webapp war file with the following structure:
{quote}{{Listing archive: mywebapp.war}}{{--}}
{{Path = mywebapp.war}}
{{Type = zip}}
{{Physical Size = 1441}}{{Date Time Attr Size Compressed Name}}
{{------------------- ----- ------------ ------------ ------------------------}}
{{2020-12-23 20:09:20 ....A 18 18 error.html}}
{{2020-12-23 20:09:02 ....A 18 18 index.html}}
{{2020-12-23 20:10:13 D.... 0 0 META-INF}}
{{2020-12-23 03:16:37 ....A 39 39 META-INF\MANIFEST.MF}}
{{2020-12-23 20:12:38 D.... 0 0 WEB-INF}}
{{2020-12-23 20:12:28 D.... 0 0 WEB-INF\classes}}
{{2020-12-23 20:12:35 D.... 0 0 WEB-INF\lib}}
{{2020-12-23 20:11:54 ....A 480 248 WEB-INF\web.xml}}
{{------------------- ----- ------------ ------------ ------------------------}}
{{2020-12-23 20:12:38 555 323 4 files, 4 folders}}
{quote}
In web.xml, it defines the error page:
{quote}<web-app
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://xmlns.jcp.org/xml/ns/javaee"
xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee
http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd" version="4.0">
<display-name>mywebapp</display-name>
<welcome-file-list>
<welcome-file>index.html</welcome-file>
</welcome-file-list>
<error-page>
<location>/error.html</location>
</error-page>
</web-app>
{quote}
After deploying the webapp successfully in local WildFly server.
Accessing the following URL will trigger the error page to be shown:
[
http://127.0.0.1:8080/mywebapp/dummy]
[
http://127.0.0.1:8080/mywebapp/META-INF/MANIFEST.MF]
[
http://127.0.0.1:8080/mywebapp/META-INF/dummy/dummy]
However, the following URL will NOT trigger the error page:
[
http://127.0.0.1:8080/mywebapp/META-INF]
[
http://127.0.0.1:8080/mywebapp/WEB-INF]
[
http://127.0.0.1:8080/mywebapp/WEB-INF/web.xml|http://127.0.0.1:8080/mywe...]
[
http://127.0.0.1:8080/mywebapp/WEB-INF/dummy/dummy]
Instead, it just displays the text "404 - Not Found"
--
This message was sent by Atlassian Jira
(v8.13.1#813001)