apache · lukaszlenart · Mar 16, 2026
diff --git a/apps/rest-showcase/README.md b/apps/rest-showcase/README.md
@@ -0,0 +1,18 @@
+# Rest Showcase
+
+> **WARNING:** This application is a demonstration/development tool only. It is **NOT** intended for production
+> deployment. Deploying this application on a publicly accessible server may pose security risks.
+
+Rest Showcase is a simple example of a REST app built with the REST plugin.
+
+For more on getting started with Struts, see:
+
+- https://struts.apache.org/getting-started/
+
+## I18N
+
+Please note that this project was created with the assumption that it will be run in an environment where the default
+locale is set to English. This means that the default messages defined in `package.properties` are in English.
+
+If the default locale for your server is different, then rename `package.properties` to `package_en.properties` and
+create a new `package.properties` with proper values for your default locale.
diff --git a/apps/rest-showcase/README.txt b/apps/rest-showcase/README.txt
diff --git a/apps/showcase/README.md b/apps/showcase/README.md
@@ -0,0 +1,19 @@
+# Showcase
+
+> **WARNING:** This application is a demonstration/development tool only. It is **NOT** intended for production
+> deployment. It contains features such as source code viewing that intentionally expose internal application details.
+> Deploying this application on a publicly accessible server may pose security risks.
+
+Showcase is a collection of examples with code that you might adopt and adapt in your own applications.
+
+For more on getting started with Struts, see:
+
+- https://struts.apache.org/getting-started/
+
+## I18N
+
+Please note that this project was created with the assumption that it will be run in an environment where the default
+locale is set to English. This means that the default messages defined in `package.properties` are in English.
+
+If the default locale for your server is different, then rename `package.properties` to `package_en.properties` and
+create a new `package.properties` with proper values for your default locale.
diff --git a/apps/showcase/README.txt b/apps/showcase/README.txt
diff --git a/apps/showcase/src/main/java/org/apache/struts2/showcase/source/ViewSourceAction.java b/apps/showcase/src/main/java/org/apache/struts2/showcase/source/ViewSourceAction.java
@@ -30,7 +30,9 @@
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.InputStreamReader;
+import java.net.URI;
 import java.net.URL;
+import java.nio.file.Path;
 import java.util.ArrayList;
 import java.util.List;
 
@@ -90,7 +92,10 @@
         if (config != null && config.startsWith("file:/")) {
             int pos = config.lastIndexOf(':');
             configLine = Integer.parseInt(config.substring(pos + 1));
-            configLines = read(new URL(config.substring(0, pos)).openStream(), configLine);
+            String fileUrl = config.substring(0, pos);
+            if (isAllowedConfigPath(fileUrl)) {
+                configLines = read(new URL(fileUrl).openStream(), configLine);
+            }
         }
         return SUCCESS;
     }
@@ -227,6 +232,24 @@
         return snippet;
     }
 
+    /**
+     * Validates that the given file URL points to an XML file within the webapp's real path,
+     * preventing arbitrary file reads via crafted config parameters.
+     */
+    private boolean isAllowedConfigPath(String fileUrl) {
+        try {
+            Path filePath = Path.of(new URI(fileUrl)).toRealPath();
+            String realBasePath = servletContext.getRealPath("/");
+            if (realBasePath == null) {
+                return false;
+            }
+            Path basePath = Path.of(realBasePath).toRealPath();
+            return filePath.startsWith(basePath) && filePath.toString().endsWith(".xml");
+        } catch (Exception e) {
+            return false;
+        }
+    }
+
     @Override
     public void withServletContext(ServletContext arg0) {
         this.servletContext = arg0;