Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
GO: Unexpected disclosure of binary code / Addition of a resource guard filter #251
The GO setup allows to download GitBlit's java classes (.class files), and also exposes the whole class structure. A live example can be found there (URL broken on purpose to prevent indexation): https://dev.gitblit.com/ com/gitblit/GitBlit.class
The JAR containing the application and the WAR injected into Jetty are the same file. However Jetty expects to serve the entire WAR contents, except the WEB-INF folder. Thus, all java binary classes in the JAR are served as is they were legitimate resources.
This pull request prevents accidental access to 'resources' such as GitBlit java classes by adding a filter to deny them.
Good catch. The fix for this will have to be implemented against develop, not master, which has almost completely eliminated web.xml. I'd also like to find a solution that does not require adding a servlet filter to the entire Gitblit app; since this is a GO-only problem there should be a GO-only solution.