/** * Implements getResource() See getRealPath(), it have to be local to the current Context - and * can't go to a sub-context. That means we don't need any overhead. */ public URL getResource(String rpath) throws MalformedURLException { if (rpath == null) return null; if (URLUtil.hasEscape(rpath)) return null; URL url = null; String absPath = getAbsolutePath(); if ("".equals(rpath)) return new URL("file", null, 0, absPath); if (!rpath.startsWith("/")) rpath = "/" + rpath; String realPath = FileUtil.safePath(absPath, rpath); if (realPath == null) { log("Unsafe path " + absPath + " " + rpath); return null; } try { url = new URL("file", null, 0, realPath); if (debug > 9) log("getResourceURL=" + url + " request=" + rpath); return url; } catch (IOException ex) { ex.printStackTrace(); return null; } }
/** * According to Servlet 2.2 the real path is interpreted as relative to the current web app and * _cannot_ go outside the box. If your intention is different or want the "other" behavior you'll * have to first call getContext(path) and call getRealPath() on the result context ( if any - the * server may disable that from security reasons !). XXX find out how can we find the context path * in order to remove it from the path - that's the only way a user can do that unless he have * prior knowledge of the mappings ! */ public String getRealPath(String path) { String base = getAbsolutePath(); if (path == null) path = ""; String realPath = FileUtil.safePath(base, path); // No need for a sub-request, that's a great simplification // in servlet space. // Important: that's different from what some people might // expect and how other server APIs work, but that's how it's // specified in 2.2. From a security point of view that's very // good, it keeps inter-webapp communication under control. if (debug > 5) { log("Get real path " + path + " " + realPath + " " + base); } return realPath; }