Re: [Jetty-support] Alias checking broken in Jetty 5.0 RC3?

[Martin R. <ma...@vi...>]

if you are really facing a security breach then temporarily changing

<servlet-mapping>
	<servlet-name>jsp</servlet-name>
	<url-pattern>*.jsp</url-pattern>
</servlet-mapping>

to

<servlet-mapping>
	<servlet-name>jsp</servlet-name>
	<url-pattern>*.jsp</url-pattern>
</servlet-mapping>

<servlet-mapping>
	<servlet-name>jsp</servlet-name>
	<url-pattern>*.Jsp</url-pattern>
</servlet-mapping>

<servlet-mapping>
	<servlet-name>jsp</servlet-name>
	<url-pattern>*.JSp</url-pattern>
</servlet-mapping>

<servlet-mapping>
	<servlet-name>jsp</servlet-name>
	<url-pattern>*.JSP</url-pattern>
</servlet-mapping>

<servlet-mapping>
	<servlet-name>jsp</servlet-name>
	<url-pattern>*.JsP</url-pattern>
</servlet-mapping>

<servlet-mapping>
	<servlet-name>jsp</servlet-name>
	<url-pattern>*.jSp</url-pattern>
</servlet-mapping>


<servlet-mapping>
	<servlet-name>jsp</servlet-name>
	<url-pattern>*.jSP</url-pattern>
</servlet-mapping>

<servlet-mapping>
	<servlet-name>jsp</servlet-name>
	<url-pattern>*.jsP</url-pattern>
</servlet-mapping>


is not really a huge overkill now is it, it may be ugly
and annoying but if it temporarily patches your security
problem, you should just apply it until greg makes a statement here.

it's actually akward that jetty should make X workaround for
accessing files cause windows can't make differnce between .jsp and .jSp .

besides as i assume you have unbreakable code anyway and dont hold any
usernames nor password in the jsp code, if you use a proper MVC you don't
even have real code in the jsp so ... it doesn't actually make the user
any more wiser if he sees that use the wonderful java beans to output some
info.

and just as the alias case insensitive checking may work wonderfully for windows,
i'd be pretty mad if README.TXT will be served for the request readme.txt, cause
on *nix systems, these 2 can be completely different files, i assume you agree with that.

just like i can do this :

martin@asgard:~/proged/java/jetty/jetty-5.0.RC1/webapps/crasher$ ls -la
total 8
drwxr-xr-x  4 martin martin 208 2004-08-31 09:58 .
drwxr-xr-x  5 martin martin 160 2004-06-20 11:38 ..
drwxr-xr-x  2 martin martin 112 2004-06-18 11:06 error
-rw-r--r--  1 martin martin  26 2004-06-18 10:53 index2.html
-rw-r--r--  1 martin martin  28 2004-08-31 08:42 index.jsp
-rw-r--r--  1 martin martin   0 2004-08-31 09:58 test.txt
-rw-r--r--  1 martin martin   0 2004-08-31 09:58 TEST.TXT


i should also be able to apply different aliases to both .txt and .TXT files.

Martin - still on debian :)


Oliver Hutchison wrote:
> I know why it's happening but changing the server seems like overkill
> especially given that Jetty should be doing the alias checking anyway. 
> 
> http://www.mortbay.org/jetty/faq?s=400-Security&t=Aliases
> 
> 
> 
>>-----Original Message-----
>>From: jet...@li... 
>>[mailto:jet...@li...] On Behalf 
>>Of Martin Roos
>>Sent: Tuesday, 31 August 2004 3:40 PM
>>To: jet...@li...
>>Subject: Re: [Jetty-support] Alias checking broken in Jetty 5.0 RC3?
>>
>>
>>wush, the thing is , jetty maps all *.jsp requests, case 
>>sensitive, but your windows machine doesn't make a difference 
>>between .jsp and .jSp since it's file system is case 
>>insensitive, as a temporary fix , map these all .JSP .jSP 
>>.jSp .Jsp .jsP and .JSp to the jasper or deny access to them.
>>
>>i'm not really sure jetty should fix it with code, the 
>>default config should just be altered. the thing is that the 
>>mapping are supposed to be case sensitive and i'm pretty sure 
>>jetty developers won't make an exception here.
>>
>>just add the addinitional mappings and you should be fine.
>>
>>better yet, install an operating system. *grin*
>>
>>
>>ofcourse Greg, if you read this, could you make sure that if 
>>the user asks for a file and windows claims it has found it 
>>as a file, if the upper/lowercase comparision fails, report a 
>>404 instead of serving the file as if the user would switch 
>>to Unix at sometime, he would get the 404 anyway.
>>
>>
>>martin - on debian since y2k.
>>
>>
>>Oliver Hutchison wrote:
>>
>>>It seems that Jetty is not doing any alias checking in 5.0 RC3 on 
>>>Windows 2000? For instance I just discovered that I can request the 
>>>following URL:
>>>
>>>	http://localhost:8080/index.jSp
>>>
>>>which will send me the code! Are other people seeing this? This is 
>>>certainly new since Jetty 5.0
>>>
>>>Ollie
>>>
>>>
>>>-------------------------------------------------------
>>>This SF.Net email is sponsored by BEA Weblogic Workshop
>>>FREE Java Enterprise J2EE developer tools!
>>>Get your free copy of BEA WebLogic Workshop 8.1 today. 
>>>http://ads.osdn.com/?ad_idP47&alloc_id808&op=click
>>>_______________________________________________
>>>Jetty-support mailing list Jet...@li...
>>>https://lists.sourceforge.net/lists/listinfo/jetty-support
>>
>>
>>-------------------------------------------------------
>>This SF.Net email is sponsored by BEA Weblogic Workshop
>>FREE Java Enterprise J2EE developer tools!
>>Get your free copy of BEA WebLogic Workshop 8.1 today.
>>http://ads.osdn.com/?ad_id=5047&alloc_id=10808&op=click
>>_______________________________________________
>>Jetty-support mailing list
>>Jet...@li...
>>https://lists.sourceforge.net/lists/listinfo/jetty-support
>>
> 
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by BEA Weblogic Workshop
> FREE Java Enterprise J2EE developer tools!
> Get your free copy of BEA WebLogic Workshop 8.1 today.
> http://ads.osdn.com/?ad_idP47&alloc_id808&op=click
> _______________________________________________
> Jetty-support mailing list
> Jet...@li...
> https://lists.sourceforge.net/lists/listinfo/jetty-support