[cometvisu] fix path check regressions (openhab#2719)

1. Fix serving the index.html when "/" (or empty) path is requested 2. Fix allowing files beeing served from special cometvisu config folder Signed-off-by: Tobias Bräutigam <[email protected]>
jimtng · Aug 21, 2024 · 51d2811 · 51d2811
1 parent ca42730
commit 51d2811
Showing 1 changed file with 7 additions and 4 deletions.
diff --git a/...i.cometvisu/src/main/java/org/openhab/ui/cometvisu/internal/servlet/CometVisuServlet.java b/...i.cometvisu/src/main/java/org/openhab/ui/cometvisu/internal/servlet/CometVisuServlet.java
@@ -193,11 +193,12 @@ protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws Se
 
         // check services folder if a file exists there
         if (requestedFile != null) {
-            if (requestedFile.endsWith("/")) {
+            if (requestedFile.endsWith(File.separator)) {
                 requestedFile = requestedFile.substring(0, requestedFile.length() - 1);
             }
             file = new File(userFileFolder, URLDecoder.decode(requestedFile, StandardCharsets.UTF_8));
-            if (!file.getCanonicalPath().startsWith(userFileFolder.getCanonicalPath() + File.separator)) {
+            if (!file.getCanonicalPath().startsWith(userFileFolder.getCanonicalPath())
+                    && !file.getCanonicalPath().equals(userFileFolder.getCanonicalPath())) {
                 return null;
             }
         }
@@ -206,7 +207,8 @@ protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws Se
             file = requestedFile != null
                     ? new File(rootFolder, URLDecoder.decode(requestedFile, StandardCharsets.UTF_8))
                     : rootFolder;
-            if (!file.getCanonicalPath().startsWith(rootFolder.getCanonicalPath() + File.separator)) {
+            if (!file.getCanonicalPath().startsWith(rootFolder.getCanonicalPath())
+                    && !file.getCanonicalPath().equals(rootFolder.getCanonicalPath())) {
                 return null;
             }
         }
@@ -455,7 +457,8 @@ private void processStaticRequest(@Nullable File file, HttpServletRequest reques
         } else {
             processFile = file;
         }
-        if (!processFile.getCanonicalPath().startsWith(rootFolder.getCanonicalPath() + File.separator)) {
+        if (!processFile.getCanonicalPath().startsWith(rootFolder.getCanonicalPath() + File.separator)
+                && !processFile.getCanonicalPath().startsWith(userFileFolder.getCanonicalPath() + File.separator)) {
             response.sendError(HttpServletResponse.SC_NOT_ACCEPTABLE);
             return;
         }