Community
Participate
Working Groups
By specification META-INF, WEB-INF, OSGI-INF and OSGI-OPT are forbidden. "For confidentiality reasons, a Web Runtime must not return any static content for paths that start with one of the following prefixes: WEB-INF/ OSGI-INF/ META-INF/ OSGI-OPT/" If one installs a web application and requests http://localhost:8080/<context-path>/WEB-INF./web.xml with the current implementation instead of 404 Not Found, Gemini Web will serve the web.xml content. The problem is reproducible only if the web application is installed in an exploded form and only on Windows OS.
Note to self: this bug was detected by security testing in VMware and reported internally in the bug http://bugzilla.eng.vmware.com/show_bug.cgi?id=957481 (which is not accessible on the internet, but is provided here for correlation purposes).
Hi Glyn, Here is a patch for Gemini Web that will handle this issue. I tried to make it as small as possible and to handle only this specific issue. Can you please review it. Thanks Vily
Created attachment 224292 [details] Patch
Comment on attachment 224292 [details] Patch Suggested an improvement to avoid treating paths such as blah/META-INF./blah specially.
Created attachment 224304 [details] patch
new patch as per comments
Comment on attachment 224304 [details] patch Looks good now.
Fix and test are provided with commit id 2054a2a560c9758a7ecabf0208dd34672a99c3a9