Just posting it here so it gets visbility, I didn't write the original message:
There appears to be a vulnerability which lets users read any file from the file system
If the core folks aren't available, I could take a stab at this tonight/tomorrow.
CVE-2016-9177 has been assigned for this vulnerability:
I wasn't able to reproduce in a minimal Spark app JAR, but it's indeed reproducible by running spark.examples.staticresources.StaticResources (in an IDE) and curling away at it. Will have to investigate more.
Not really having the time and peace to thoroughly investigate, but based on some quick tests:
The difference in running in an IDE and running as a packaged up is probably either due to resources being inside a JAR file, or different class loader setup. Should try running in an unpackaged application.
We are available. The emails "AJ" tried to send all got caught by gmail's spam filters (which this guy was aware of that it could be the case but "failed" to write in his emails shown on marc.info)
We are addressing this ASAP.
Fix for #700 - Arbitrary File Read Vulnerability
Fixed with #701.
Spark 2.5.2 released http://search.maven.org/#artifactdetails%7Ccom.sparkjava%7Cspark-core%7C2.5.2%7Cbundle with this fix!