JEP 408 - Should path within hidden directories/symlinks be allowed as root path?
Jaikiran Pai
jai.forums2013 at gmail.com
Tue Nov 23 03:40:00 UTC 2021
Thank you Daniel and Julia for the clarification.
-Jaikiran
On 22/11/21 5:47 pm, Julia Boes wrote:
> Hi Jaikiran,
>
> On 22/11/2021 09:29, Jaikiran Pai wrote:
>> The newly introduced simple webserver when launched from a directory
>> does necessary checks to disallow serving of hidden files (and
>> symlinks). So if I do something like:
>>
>> cd ~/
>>
>> java -m jdk.httpserver
>>
>> and then issue a HTTP request against something like
>> localhost:8000/.ssh/known_hosts, then it won't serve that content
>> because .ssh is a hidden directory. This behaviour matches what's stated
>> in the JEP 408.
>>
>> However, if I instead launch the server from within a hidden directory,
>> like:
>>
>> cd ~/.ssh/
>>
>> java -m jdk.httpserver
>>
>> and then issue a localhost:8000/known_hosts request, then it does end up
>> serving that content.
>>
>> Should the root path against which the server is launched be checked to
>> see if any of its parent path(s) are hidden directories (or symlinks)
>> and if so disallow the server creation?
> This was a deliberate choice. In the first case, the user might not be aware of
> hidden subdirectories so the accidental serving of such is prevented. In the
> second case, the user explicitly specifies a hidden directory to be served so we
> can assume it is not accidental. The message printed at startup also specifies
> the directory being served.
>
> Regards,
> Julia
>
More information about the net-dev
mailing list