Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-dev] Fwd: Major security issue or misconfiguration? 
Hugues is your best bet for an answer.

--
jesse mcconnell
jesse.mcconnell@xxxxxxxxx


On Wed, Jun 27, 2012 at 4:03 PM, Matthew Painter
<matthew.painter@xxxxxxxxxx> wrote:
> Hi all,
>
> Disclosure: This is a cross post from the users list where no-one had any
> suggestions - I hope you as devs may have more insight? :)
>
> I am using Jetty7.5.1+OSGi, exposing servlets by using Web-ContextPath.
>
> Say my path is Web-ContextPath is /foo and I have class bar.FooBar, then I
> can retrieve the class file by going to:
>
> http://my.server/foo/bar/FooBar.class
>
> and I infact can list the whole directory and subdirectory by visiting:
>
> http://my.server/foo
>
> If I have a servlet mapped to /* then this does not happen.
>
> This seems like an enormous issue. It hasn't happened previously, and I
> can't seem to find what has changed.
>
> The previous behaviour was to 404 on requesting anything but servlet
> mappings, or assets that are not class files and not in META-INF or WEB-INF.
>
> Can anyone shed any light on why all the class files in the bundle are
> exposed?
>
> Thanks!
>
> Matt
>
>
> _______________________________________________
> jetty-dev mailing list
> jetty-dev@xxxxxxxxxxx
> https://dev.eclipse.org/mailman/listinfo/jetty-dev
>

Back to the top