On Mon, 20 Sep 2021 16:16:10 GMT, Daniel Fuchs <dfu...@openjdk.org> wrote:
>> src/jdk.httpserver/share/classes/sun/net/httpserver/simpleserver/FileServerHandler.java >> line 340: >> >>> 338: } >>> 339: } >>> 340: return false; >> >> This will start checking from the root of the file system. I believe we want >> to start checking from the root of the FileServerHandler, root excluded. > > Maybe these checks should be made in `mapToPath` instead since you already > walk the path there - and IIRC returning null from `mapToPath` will cause > HTTP 404. Agreed. I refactored the handler to check `!isReadable`, `isHidden` and `isSymbolicLink` for each path segment from the root, excluding the root itself. If any of these conditions is met, a 404 response is sent. A generic 404 response for hides potentially revealing information. The checks are repeated in handle() on line 375, let's keep them in there for reassurance. ------------- PR: https://git.openjdk.java.net/jdk/pull/5505