GO: Unexpected disclosure of binary code / Addition of a resource guard filter #251

Closed
wants to merge 2 commits into
from

Conversation

Projects
None yet
2 participants
@jibee

jibee commented Apr 12, 2015

Hi,

The GO setup allows to download GitBlit's java classes (.class files), and also exposes the whole class structure. A live example can be found there (URL broken on purpose to prevent indexation): https://dev.gitblit.com/ com/gitblit/GitBlit.class

The JAR containing the application and the WAR injected into Jetty are the same file. However Jetty expects to serve the entire WAR contents, except the WEB-INF folder. Thus, all java binary classes in the JAR are served as is they were legitimate resources.

This pull request prevents accidental access to 'resources' such as GitBlit java classes by adding a filter to deny them.

@gitblit

This comment has been minimized.

Show comment Hide comment
@gitblit

gitblit Apr 13, 2015

Owner

Good catch. The fix for this will have to be implemented against develop, not master, which has almost completely eliminated web.xml. I'd also like to find a solution that does not require adding a servlet filter to the entire Gitblit app; since this is a GO-only problem there should be a GO-only solution.

Owner

gitblit commented Apr 13, 2015

Good catch. The fix for this will have to be implemented against develop, not master, which has almost completely eliminated web.xml. I'd also like to find a solution that does not require adding a servlet filter to the entire Gitblit app; since this is a GO-only problem there should be a GO-only solution.

@jibee

This comment has been minimized.

Show comment Hide comment
@jibee

jibee Apr 14, 2015

Hi James,

Thanks for your comments; I will close this pull request and create a new one with a neater fix against develop.

jibee commented Apr 14, 2015

Hi James,

Thanks for your comments; I will close this pull request and create a new one with a neater fix against develop.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment