Prevent Undertow from exposing classpath files

Update `UndertowEmbeddedServletContainerFactory` so that the `ClassPathResourceManager` is no longer registered by default. Prior to this commit the resource manager would be registered whenever a valid document root could not be found. This had the effect of exposing all classpath files. Fixes gh-4015

Prevent Undertow from exposing classpath files
Update `UndertowEmbeddedServletContainerFactory` so that the `ClassPathResourceManager` is no longer registered by default. Prior to this commit the resource manager would be registered whenever a valid document root could not be found. This had the effect of exposing all classpath files. Fixes gh-4015
c804299c · Phillip Webb · 56643222 · c804299c · c804299c
Commit c804299c authored Oct 15, 2015 by Phillip Webb
2 changed files
--- a/spring-boot/src/main/java/org/springframework/boot/context/embedded/undertow/UndertowEmbeddedServletContainerFactory.java
+++ b/spring-boot/src/main/java/org/springframework/boot/context/embedded/undertow/UndertowEmbeddedServletContainerFactory.java
@@ -56,7 +56,6 @@ import org.xnio.SslClientAuthMode;
 import io.undertow.Undertow;
 import io.undertow.Undertow.Builder;
 import io.undertow.UndertowMessages;
-import io.undertow.server.handlers.resource.ClassPathResourceManager;
 import io.undertow.server.handlers.resource.FileResourceManager;
 import io.undertow.server.handlers.resource.Resource;
 import io.undertow.server.handlers.resource.ResourceChangeListener;
@@ -370,10 +369,7 @@ public class UndertowEmbeddedServletContainerFactory
 		if (root != null && root.isFile()) {
 			return new JarResourcemanager(root);
 		}
-		if (this.resourceLoader != null) {
+		return ResourceManager.EMPTY_RESOURCE_MANAGER;
-			return new ClassPathResourceManager(this.resourceLoader.getClassLoader(), "");
-		}
-		return new ClassPathResourceManager(getClass().getClassLoader(), "");
 	}
 	private void configureErrorPages(DeploymentInfo servletBuilder) {

--- a/spring-boot/src/test/java/org/springframework/boot/context/embedded/AbstractEmbeddedServletContainerFactoryTests.java
+++ b/spring-boot/src/test/java/org/springframework/boot/context/embedded/AbstractEmbeddedServletContainerFactoryTests.java
@@ -482,6 +482,17 @@ public abstract class AbstractEmbeddedServletContainerFactoryTests {
 				equalTo("test"));
 	}
+	@Test
+	public void cannotReadClassPathFiles() throws Exception {
+		AbstractEmbeddedServletContainerFactory factory = getFactory();
+		this.container = factory
+				.getEmbeddedServletContainer(exampleServletRegistration());
+		this.container.start();
+		ClientHttpResponse response = getClientResponse(
+				getLocalUrl("/org/springframework/boot/SpringApplication.class"));
+		assertThat(response.getStatusCode(), equalTo(HttpStatus.NOT_FOUND));
+	}
 	private Ssl getSsl(ClientAuth clientAuth, String keyPassword, String keyStore) {
 		return getSsl(clientAuth, keyPassword, keyStore, null);
 	}