HttpResponseStatus.FORBIDDEN.orInSafeMode(HttpResponseStatus.NOT_FOUND).send(channel, request)
return false
}
- else if (!checkAccess(file, Paths.get(pathInfo.root.path))) {
+ else if (!hasAccess(file)) {
+ // we check only file, but all directories in the path because of https://youtrack.jetbrains.com/issue/WEB-21594
HttpResponseStatus.FORBIDDEN.orInSafeMode(HttpResponseStatus.NOT_FOUND).send(channel, request)
return false
}
}
// deny access to any dot prefixed file
-private fun hasAccess(result: Path) = Files.isReadable(result) && !(Files.isHidden(result) || result.fileName.toString().startsWith('.'))
\ No newline at end of file
+internal fun hasAccess(result: Path) = Files.isReadable(result) && !(Files.isHidden(result) || result.fileName.toString().startsWith('.'))
\ No newline at end of file
internal fun testUrl(url: String, expectedStatus: HttpResponseStatus): HttpURLConnection {
val connection = URL(url).openConnection() as HttpURLConnection
+ BuiltInServerManager.getInstance().configureRequestToWebServer(connection)
assertThat(HttpResponseStatus.valueOf(connection.responseCode)).isEqualTo(expectedStatus)
return connection
}
\ No newline at end of file
}
@Test
- fun `hidden dir`() {
+ fun `file in hidden folder`() {
val projectDir = tempDirManager.newPath().resolve("foo/bar")
val projectDirPath = projectDir.systemIndependentPath
createHeavyProject("$projectDirPath/test.ipr").use { project ->
LocalFileSystem.getInstance().refreshAndFindFileByPath(projectDirPath)
createModule(projectDirPath, project)
- val dir = projectDir.resolve(".doNotExposeMe")
+ val dir = projectDir.resolve(".coverage")
if (SystemInfo.isWindows) {
Files.setAttribute(dir, "dos:hidden", true)
}
- val path = dir.resolve("foo").write("doNotExposeMe").systemIndependentPath
+ val path = dir.resolve("foo").write("exposeMe").systemIndependentPath
val relativePath = FileUtil.getRelativePath(project.basePath!!, path, '/')
val webPath = StringUtil.replace(UrlEscapers.urlPathSegmentEscaper().escape("${project.name}/$relativePath"), "%2F", "/")
- testUrl("http://localhost:${BuiltInServerManager.getInstance().port}/$webPath", HttpResponseStatus.FORBIDDEN)
+ testUrl("http://localhost:${BuiltInServerManager.getInstance().port}/$webPath", HttpResponseStatus.OK)
}
}
}
\ No newline at end of file