summaryrefslogtreecommitdiffstats
path: root/src/main/java/com/gitblit/guice/WebModule.java
diff options
context:
space:
mode:
Diffstat (limited to 'src/main/java/com/gitblit/guice/WebModule.java')
-rw-r--r--src/main/java/com/gitblit/guice/WebModule.java12
1 files changed, 12 insertions, 0 deletions
diff --git a/src/main/java/com/gitblit/guice/WebModule.java b/src/main/java/com/gitblit/guice/WebModule.java
index 5b569182..c6172c3d 100644
--- a/src/main/java/com/gitblit/guice/WebModule.java
+++ b/src/main/java/com/gitblit/guice/WebModule.java
@@ -19,6 +19,7 @@ import java.util.HashMap;
import java.util.Map;
import com.gitblit.Constants;
+import com.gitblit.servlet.AccessDeniedServlet;
import com.gitblit.servlet.BranchGraphServlet;
import com.gitblit.servlet.DownloadZipFilter;
import com.gitblit.servlet.DownloadZipServlet;
@@ -70,6 +71,17 @@ public class WebModule extends ServletModule {
serve("/robots.txt").with(RobotsTxtServlet.class);
serve("/logo.png").with(LogoServlet.class);
+ /* Prevent accidental access to 'resources' such as GitBlit java classes
+ *
+ * In the GO setup the JAR containing the application and the WAR injected
+ * into Jetty are the same file. However Jetty expects to serve the entire WAR
+ * contents, except the WEB-INF folder. Thus, all java binary classes in the
+ * JAR are served by default as is they were legitimate resources.
+ *
+ * The below servlet mappings prevent that behavior
+ */
+ serve(fuzzy("/com/")).with(AccessDeniedServlet.class);
+
// global filters
filter(ALL).through(ProxyFilter.class);
filter(ALL).through(EnforceAuthenticationFilter.class);
generated by cgit v1.2.3 (git 2.39.1) at 2025-05-08 09:21:55 +0000