From 2b56c4e50561f979c26482fcac8b39c4ea38bd71 Mon Sep 17 00:00:00 2001
From: anatol-sialitski <53557255+anatol-sialitski@users.noreply.github.com>
Date: Mon, 20 Jan 2025 17:33:09 +0100
Subject: [PATCH] `/admin/tool` must return 404 #10861 (#10867)

---
 .../com/enonic/xp/admin/impl/portal/AdminToolHandler.java    | 2 +-
 .../enonic/xp/admin/impl/portal/AdminToolHandlerTest.java    | 5 +++++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/modules/admin/admin-impl/src/main/java/com/enonic/xp/admin/impl/portal/AdminToolHandler.java b/modules/admin/admin-impl/src/main/java/com/enonic/xp/admin/impl/portal/AdminToolHandler.java
index 82383f21026..2218b622ed1 100644
--- a/modules/admin/admin-impl/src/main/java/com/enonic/xp/admin/impl/portal/AdminToolHandler.java
+++ b/modules/admin/admin-impl/src/main/java/com/enonic/xp/admin/impl/portal/AdminToolHandler.java
@@ -49,7 +49,7 @@ protected WebResponse doHandle( final WebRequest webRequest, final WebResponse w
         throws Exception
     {
         final String rawPath = webRequest.getRawPath();
-        if ( !( rawPath.equals( "/admin" ) || rawPath.equals( "/admin/" ) ) && !TOOL_CXT_PATTERN.matcher( rawPath ).find() )
+        if ( !rawPath.equals( "/admin" ) && !TOOL_CXT_PATTERN.matcher( rawPath ).find() )
         {
             throw WebException.notFound( "Invalid admin tool mount" );
         }
diff --git a/modules/admin/admin-impl/src/test/java/com/enonic/xp/admin/impl/portal/AdminToolHandlerTest.java b/modules/admin/admin-impl/src/test/java/com/enonic/xp/admin/impl/portal/AdminToolHandlerTest.java
index 51c0ae11a58..0c4e6dc5ba2 100644
--- a/modules/admin/admin-impl/src/test/java/com/enonic/xp/admin/impl/portal/AdminToolHandlerTest.java
+++ b/modules/admin/admin-impl/src/test/java/com/enonic/xp/admin/impl/portal/AdminToolHandlerTest.java
@@ -137,6 +137,11 @@ void testInvalidAdminToolMount()
         ex = assertThrows( WebException.class, () -> this.handler.doHandle( this.portalRequest, this.webResponse, this.chain ) );
         assertEquals( HttpStatus.NOT_FOUND, ex.getStatus() );
         assertEquals( "Invalid admin tool mount", ex.getMessage() );
+
+        this.portalRequest.setRawPath( "/admin/" );
+        ex = assertThrows( WebException.class, () -> this.handler.doHandle( this.portalRequest, this.webResponse, this.chain ) );
+        assertEquals( HttpStatus.NOT_FOUND, ex.getStatus() );
+        assertEquals( "Invalid admin tool mount", ex.getMessage() );
     }
 
     private void mockDescriptor( DescriptorKey descriptorKey, boolean hasAccess )