StaticHandler should not serve files under hidden directories

tsegismont · vietj · commit 284cf73f144b · 2025-10-22T14:03:11.000+02:00
If the handler is configured to exclude hidden files, it should not only exclude hidden files, but also files under hidden directories.

Signed-off-by: Thomas Segismont &lt;tsegismont@gmail.com&gt;
diff --git a/vertx-web/src/main/java/io/vertx/ext/web/handler/impl/StaticHandlerImpl.java b/vertx-web/src/main/java/io/vertx/ext/web/handler/impl/StaticHandlerImpl.java
@@ -193,15 +193,16 @@ private void sendStatic(RoutingContext context, FileSystem fileSystem, String pa
 
     if (!includeHidden) {
       file = getFile(path, context);
-      int idx = file.lastIndexOf('/');
-      String name = file.substring(idx + 1);
-      if (name.length() > 0 && name.charAt(0) == '.') {
-        // skip
-        if (!context.request().isEnded()) {
-          context.request().resume();
+      for (int idx = file.indexOf('/'); idx >= 0; idx = file.indexOf('/', idx + 1)) {
+        String name = file.substring(idx + 1);
+        if (name.length() > 0 && name.charAt(0) == '.') {
+          // skip
+          if (!context.request().isEnded()) {
+            context.request().resume();
+          }
+          context.next();
+          return;
         }
-        context.next();
-        return;
       }
     }
 
diff --git a/vertx-web/src/test/java/io/vertx/ext/web/handler/StaticHandlerTest.java b/vertx-web/src/test/java/io/vertx/ext/web/handler/StaticHandlerTest.java
@@ -131,12 +131,14 @@ public void testCantGetHiddenPage() throws Exception {
   @Test
   public void testGetHiddenPageSubdir() throws Exception {
     testRequest(HttpMethod.GET, "/somedir/.hidden.html", 200, "OK", "<html><body>Hidden page</body></html>");
+    testRequest(HttpMethod.GET, "/somedir/.hidden/otherpage.html", 200, "OK", "<html><body>Subdirectory other page</body></html>");
   }
 
   @Test
   public void testCantGetHiddenPageSubdir() throws Exception {
     stat.setIncludeHidden(false);
     testRequest(HttpMethod.GET, "/somedir/.hidden.html", 404, "Not Found");
+    testRequest(HttpMethod.GET, "/somedir/.hidden/otherpage.html", 404, "Not Found");
   }
 
   @Test
diff --git a/vertx-web/src/test/resources/webroot/somedir/.hidden/otherpage.html b/vertx-web/src/test/resources/webroot/somedir/.hidden/otherpage.html
@@ -0,0 +1 @@
+<html><body>Subdirectory other page</body></html>

Original file line number	Diff line number	Diff line change
`@@ -131,12 +131,14 @@ public void testCantGetHiddenPage() throws Exception {`
`131`	`131`	`@Test`
`132`	`132`	`public void testGetHiddenPageSubdir() throws Exception {`
`133`	`133`	`testRequest(HttpMethod.GET, "/somedir/.hidden.html", 200, "OK", "<html><body>Hidden page</body></html>");`
	`134`	`+ testRequest(HttpMethod.GET, "/somedir/.hidden/otherpage.html", 200, "OK", "<html><body>Subdirectory other page</body></html>");`
`134`	`135`	`}`
`135`	`136`
`136`	`137`	`@Test`
`137`	`138`	`public void testCantGetHiddenPageSubdir() throws Exception {`
`138`	`139`	`stat.setIncludeHidden(false);`
`139`	`140`	`testRequest(HttpMethod.GET, "/somedir/.hidden.html", 404, "Not Found");`
	`141`	`+ testRequest(HttpMethod.GET, "/somedir/.hidden/otherpage.html", 404, "Not Found");`
`140`	`142`	`}`
`141`	`143`
`142`	`144`	`@Test`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+<html><body>Subdirectory other page</body></html>`