Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

GO: Unexpected disclosure of binary code / Addition of a resource guard filter #251

wants to merge 2 commits into from


Copy link

commented Apr 12, 2015


The GO setup allows to download GitBlit's java classes (.class files), and also exposes the whole class structure. A live example can be found there (URL broken on purpose to prevent indexation): com/gitblit/GitBlit.class

The JAR containing the application and the WAR injected into Jetty are the same file. However Jetty expects to serve the entire WAR contents, except the WEB-INF folder. Thus, all java binary classes in the JAR are served as is they were legitimate resources.

This pull request prevents accidental access to 'resources' such as GitBlit java classes by adding a filter to deny them.


This comment has been minimized.

Copy link

commented Apr 13, 2015

Good catch. The fix for this will have to be implemented against develop, not master, which has almost completely eliminated web.xml. I'd also like to find a solution that does not require adding a servlet filter to the entire Gitblit app; since this is a GO-only problem there should be a GO-only solution.


This comment has been minimized.

Copy link

commented Apr 14, 2015

Hi James,

Thanks for your comments; I will close this pull request and create a new one with a neater fix against develop.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
2 participants
You can’t perform that action at this time.