Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

GO: Unexpected disclosure of binary code / Addition of a resource guard filter #251

Closed
wants to merge 2 commits into from

Conversation

@jibee
Copy link

commented Apr 12, 2015

Hi,

The GO setup allows to download GitBlit's java classes (.class files), and also exposes the whole class structure. A live example can be found there (URL broken on purpose to prevent indexation): https://dev.gitblit.com/ com/gitblit/GitBlit.class

The JAR containing the application and the WAR injected into Jetty are the same file. However Jetty expects to serve the entire WAR contents, except the WEB-INF folder. Thus, all java binary classes in the JAR are served as is they were legitimate resources.

This pull request prevents accidental access to 'resources' such as GitBlit java classes by adding a filter to deny them.

@gitblit

This comment has been minimized.

Copy link
Owner

commented Apr 13, 2015

Good catch. The fix for this will have to be implemented against develop, not master, which has almost completely eliminated web.xml. I'd also like to find a solution that does not require adding a servlet filter to the entire Gitblit app; since this is a GO-only problem there should be a GO-only solution.

@jibee

This comment has been minimized.

Copy link
Author

commented Apr 14, 2015

Hi James,

Thanks for your comments; I will close this pull request and create a new one with a neater fix against develop.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.