From d5548efca76bf08c73535befc9daddca9b223d39 Mon Sep 17 00:00:00 2001 From: James Moger Date: Thu, 21 May 2015 21:36:48 -0400 Subject: [PATCH] Remove /org/ filtering --- .../java/com/gitblit/guice/WebModule.java | 31 +++++++------------ .../com/gitblit/servlet/GitblitContext.java | 2 +- 2 files changed, 13 insertions(+), 20 deletions(-) diff --git a/src/main/java/com/gitblit/guice/WebModule.java b/src/main/java/com/gitblit/guice/WebModule.java index 4a0cfcd6..c6172c3d 100644 --- a/src/main/java/com/gitblit/guice/WebModule.java +++ b/src/main/java/com/gitblit/guice/WebModule.java @@ -53,11 +53,6 @@ import com.google.inject.servlet.ServletModule; public class WebModule extends ServletModule { final static String ALL = "/*"; - private boolean isGO; - - public WebModule(boolean isGO) { - this.isGO=isGO; - } @Override protected void configureServlets() { @@ -75,20 +70,18 @@ public class WebModule extends ServletModule { serve(Constants.PT_PATH).with(PtServlet.class); serve("/robots.txt").with(RobotsTxtServlet.class); serve("/logo.png").with(LogoServlet.class); - if(isGO) - { - /* Prevent accidental access to 'resources' such as GitBlit java classes - * - * In the GO setup the JAR containing the application and the WAR injected - * into Jetty are the same file. However Jetty expects to serve the entire WAR - * contents, except the WEB-INF folder. Thus, all java binary classes in the - * JAR are served by default as is they were legitimate resources. - * - * The below servlet mappings prevent that behavior - */ - serve(fuzzy("/com/")).with(AccessDeniedServlet.class); - serve(fuzzy("/org/")).with(AccessDeniedServlet.class); - } + + /* Prevent accidental access to 'resources' such as GitBlit java classes + * + * In the GO setup the JAR containing the application and the WAR injected + * into Jetty are the same file. However Jetty expects to serve the entire WAR + * contents, except the WEB-INF folder. Thus, all java binary classes in the + * JAR are served by default as is they were legitimate resources. + * + * The below servlet mappings prevent that behavior + */ + serve(fuzzy("/com/")).with(AccessDeniedServlet.class); + // global filters filter(ALL).through(ProxyFilter.class); filter(ALL).through(EnforceAuthenticationFilter.class); diff --git a/src/main/java/com/gitblit/servlet/GitblitContext.java b/src/main/java/com/gitblit/servlet/GitblitContext.java index d447daca..077624c2 100644 --- a/src/main/java/com/gitblit/servlet/GitblitContext.java +++ b/src/main/java/com/gitblit/servlet/GitblitContext.java @@ -129,7 +129,7 @@ public class GitblitContext extends GuiceServletContextListener { * Returns Gitblit's Guice injection modules. */ protected AbstractModule [] getModules() { - return new AbstractModule [] { new CoreModule(), new WebModule(null!=goBaseFolder) }; + return new AbstractModule [] { new CoreModule(), new WebModule() }; } /** -- 2.39.5