JEP 408 - Should path within hidden directories/symlinks be allowed as root path?
Julia Boes
julia.boes at oracle.com
Mon Nov 22 12:17:45 UTC 2021
Hi Jaikiran,
On 22/11/2021 09:29, Jaikiran Pai wrote:
> The newly introduced simple webserver when launched from a directory
> does necessary checks to disallow serving of hidden files (and
> symlinks). So if I do something like:
>
> cd ~/
>
> java -m jdk.httpserver
>
> and then issue a HTTP request against something like
> localhost:8000/.ssh/known_hosts, then it won't serve that content
> because .ssh is a hidden directory. This behaviour matches what's stated
> in the JEP 408.
>
> However, if I instead launch the server from within a hidden directory,
> like:
>
> cd ~/.ssh/
>
> java -m jdk.httpserver
>
> and then issue a localhost:8000/known_hosts request, then it does end up
> serving that content.
>
> Should the root path against which the server is launched be checked to
> see if any of its parent path(s) are hidden directories (or symlinks)
> and if so disallow the server creation?
This was a deliberate choice. In the first case, the user might not be aware of
hidden subdirectories so the accidental serving of such is prevented. In the
second case, the user explicitly specifies a hidden directory to be served so we
can assume it is not accidental. The message printed at startup also specifies
the directory being served.
Regards,
Julia
More information about the net-dev
mailing list