From e5227a46f4405dd8bfcc1582356f8e12d1e928c0 Mon Sep 17 00:00:00 2001 From: Jean-Baptiste Mayer Date: Tue, 14 Apr 2015 22:33:02 +0100 Subject: Deny access to /com and /org folders in GO setup Added a servlet to serve "Access Denied" Added conditional mapping of /com and /org folders in the web setup --- src/main/java/com/gitblit/guice/WebModule.java | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) (limited to 'src/main/java/com/gitblit/guice/WebModule.java') diff --git a/src/main/java/com/gitblit/guice/WebModule.java b/src/main/java/com/gitblit/guice/WebModule.java index 5b569182..4a0cfcd6 100644 --- a/src/main/java/com/gitblit/guice/WebModule.java +++ b/src/main/java/com/gitblit/guice/WebModule.java @@ -19,6 +19,7 @@ import java.util.HashMap; import java.util.Map; import com.gitblit.Constants; +import com.gitblit.servlet.AccessDeniedServlet; import com.gitblit.servlet.BranchGraphServlet; import com.gitblit.servlet.DownloadZipFilter; import com.gitblit.servlet.DownloadZipServlet; @@ -52,6 +53,11 @@ import com.google.inject.servlet.ServletModule; public class WebModule extends ServletModule { final static String ALL = "/*"; + private boolean isGO; + + public WebModule(boolean isGO) { + this.isGO=isGO; + } @Override protected void configureServlets() { @@ -69,7 +75,20 @@ public class WebModule extends ServletModule { serve(Constants.PT_PATH).with(PtServlet.class); serve("/robots.txt").with(RobotsTxtServlet.class); serve("/logo.png").with(LogoServlet.class); - + if(isGO) + { + /* Prevent accidental access to 'resources' such as GitBlit java classes + * + * In the GO setup the JAR containing the application and the WAR injected + * into Jetty are the same file. However Jetty expects to serve the entire WAR + * contents, except the WEB-INF folder. Thus, all java binary classes in the + * JAR are served by default as is they were legitimate resources. + * + * The below servlet mappings prevent that behavior + */ + serve(fuzzy("/com/")).with(AccessDeniedServlet.class); + serve(fuzzy("/org/")).with(AccessDeniedServlet.class); + } // global filters filter(ALL).through(ProxyFilter.class); filter(ALL).through(EnforceAuthenticationFilter.class); -- cgit v1.2.3 From d5548efca76bf08c73535befc9daddca9b223d39 Mon Sep 17 00:00:00 2001 From: James Moger Date: Thu, 21 May 2015 21:36:48 -0400 Subject: Remove /org/ filtering --- src/main/java/com/gitblit/guice/WebModule.java | 31 +++++++++------------- .../java/com/gitblit/servlet/GitblitContext.java | 2 +- 2 files changed, 13 insertions(+), 20 deletions(-) (limited to 'src/main/java/com/gitblit/guice/WebModule.java') diff --git a/src/main/java/com/gitblit/guice/WebModule.java b/src/main/java/com/gitblit/guice/WebModule.java index 4a0cfcd6..c6172c3d 100644 --- a/src/main/java/com/gitblit/guice/WebModule.java +++ b/src/main/java/com/gitblit/guice/WebModule.java @@ -53,11 +53,6 @@ import com.google.inject.servlet.ServletModule; public class WebModule extends ServletModule { final static String ALL = "/*"; - private boolean isGO; - - public WebModule(boolean isGO) { - this.isGO=isGO; - } @Override protected void configureServlets() { @@ -75,20 +70,18 @@ public class WebModule extends ServletModule { serve(Constants.PT_PATH).with(PtServlet.class); serve("/robots.txt").with(RobotsTxtServlet.class); serve("/logo.png").with(LogoServlet.class); - if(isGO) - { - /* Prevent accidental access to 'resources' such as GitBlit java classes - * - * In the GO setup the JAR containing the application and the WAR injected - * into Jetty are the same file. However Jetty expects to serve the entire WAR - * contents, except the WEB-INF folder. Thus, all java binary classes in the - * JAR are served by default as is they were legitimate resources. - * - * The below servlet mappings prevent that behavior - */ - serve(fuzzy("/com/")).with(AccessDeniedServlet.class); - serve(fuzzy("/org/")).with(AccessDeniedServlet.class); - } + + /* Prevent accidental access to 'resources' such as GitBlit java classes + * + * In the GO setup the JAR containing the application and the WAR injected + * into Jetty are the same file. However Jetty expects to serve the entire WAR + * contents, except the WEB-INF folder. Thus, all java binary classes in the + * JAR are served by default as is they were legitimate resources. + * + * The below servlet mappings prevent that behavior + */ + serve(fuzzy("/com/")).with(AccessDeniedServlet.class); + // global filters filter(ALL).through(ProxyFilter.class); filter(ALL).through(EnforceAuthenticationFilter.class); diff --git a/src/main/java/com/gitblit/servlet/GitblitContext.java b/src/main/java/com/gitblit/servlet/GitblitContext.java index d447daca..077624c2 100644 --- a/src/main/java/com/gitblit/servlet/GitblitContext.java +++ b/src/main/java/com/gitblit/servlet/GitblitContext.java @@ -129,7 +129,7 @@ public class GitblitContext extends GuiceServletContextListener { * Returns Gitblit's Guice injection modules. */ protected AbstractModule [] getModules() { - return new AbstractModule [] { new CoreModule(), new WebModule(null!=goBaseFolder) }; + return new AbstractModule [] { new CoreModule(), new WebModule() }; } /** -- cgit v1.2.3