395246 – Access to forbidden directories can be granted

Bug 395246 - Access to forbidden directories can be granted

Summary: Access to forbidden directories can be granted

Status:	CLOSED FIXED

Alias:	None

Product:	Gemini.Web
Classification:	RT
Component:	unknown (show other bugs)
Version:	2.1.0.RELEASE
Hardware:	PC Windows 7

Importance:	P3 critical (vote)
Target Milestone:	2.2.0.M03
Assignee:	Violeta Georgieva
QA Contact:

URL:
Whiteboard:
Keywords:	security

Depends on:
Blocks:

Reported:	2012-11-28 03:42 EST by Violeta Georgieva
Modified:	2013-01-02 13:43 EST (History)
CC List:	1 user (show)

See Also:

Attachments
Patch (4.09 KB, patch) 2012-12-05 02:25 EST, Violeta Georgieva	nobody: review+	Details \| Diff
patch (5.66 KB, patch) 2012-12-05 06:17 EST, Violeta Georgieva	nobody: review+	Details \| Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Violeta Georgieva

2012-11-28 03:42:32 EST

By specification META-INF, WEB-INF, OSGI-INF and OSGI-OPT are forbidden. 

"For confidentiality reasons, a Web Runtime must not return any static content for paths that start with one of the following prefixes:
WEB-INF/
OSGI-INF/
META-INF/
OSGI-OPT/"

If one installs a web application and requests

http://localhost:8080/<context-path>/WEB-INF./web.xml 

with the current implementation instead of 404 Not Found, Gemini Web will serve the web.xml content.

The problem is reproducible only if the web application is installed in an exploded form and only on Windows OS.

Comment 1 Nobody - feel free to take it

2012-11-28 04:56:22 EST

Note to self: this bug was detected by security testing in VMware and reported internally in the bug http://bugzilla.eng.vmware.com/show_bug.cgi?id=957481 (which is not accessible on the internet, but is provided here for correlation purposes).

Comment 2 Violeta Georgieva

2012-12-05 02:24:56 EST

Hi Glyn,

Here is a patch for Gemini Web that will handle this issue.
I tried to make it as small as possible and to handle only this specific issue.

Can you please review it.

Thanks
Vily

Comment 3 Violeta Georgieva

2012-12-05 02:25:48 EST

Created attachment 224292 [details]
Patch

Comment 4 Nobody - feel free to take it

2012-12-05 05:09:07 EST

Comment on attachment 224292 [details]
Patch

Suggested an improvement to avoid treating paths such as blah/META-INF./blah specially.

Comment 5 Violeta Georgieva

2012-12-05 06:17:43 EST

Created attachment 224304 [details]
patch

Comment 6 Violeta Georgieva

2012-12-05 06:21:50 EST

new patch as per comments

Comment 7 Nobody - feel free to take it

2012-12-05 06:29:31 EST

Comment on attachment 224304 [details]
patch

Looks good now.

Comment 8 Violeta Georgieva

2012-12-05 07:28:07 EST

Fix and test are provided with commit id 2054a2a560c9758a7ecabf0208dd34672a99c3a9