[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[List Home]
|
[jetty-users] Major security issue or misconfiguration?
|
Hi all,
I am using Jetty7.5.1+OSGi, exposing servlets by using Web-ContextPath.
Say my path isÂWeb-ContextPath is /foo and I have class bar.FooBar, then I can retrieve the class file by going to:
and I infact can list the whole directory and subdirectory by visiting:
If I have a servlet mapped to /* then this does not happen.
This seems like an enormous issue. It hasn't happened previously, and I can't seem to find what has changed.
The previous behaviour was to 404 on requesting anything but servlet mappings, or assets that are not class files and not in META-INF or WEB-INF.
Can anyone shed any light on why all the class files in the bundle are exposed?
Thanks!
Matt