From: Rick Knowles <rick@kn...> - 2009-11-16 14:20:37
Actually Hudson is overriding the static URL servlet (which implements
the security checks you talked about) in winstone by mapping the / path
to the Stapler servlet, so there is nothing Winstone could do about this
even if it wanted to.
Your comment about scrubbing URLs is interesting - if you can point me
to somewhere in the servlet spec that says the container is even allowed
to modify URLs (let alone required to sanitize them) before passing them
to the container I'd consider implementing it, but I don't remember
seeing that anywhere; not to mention that doing so would probably break
a significant number of the Sun Servlet TCK tests required for using the
I think you'll find this is Hudson's problem not Winstone's, especially
given the fact that it overrides the root servlet.
All the best,
William B McConaghy wrote:
> I am running hudson in standalone mode, which uses the latest
> winstone. Execute java -jar hudson.war. This starts winstone up
> listening on 8080. Use telnet to connect.
> telnet localhost 8080
> On my machine, this GET string retrieves /etc/hosts
> GET /../../../../../../etc/hosts
> same with /etc/passwd
> GET /../../../../../../etc/passwd
> Please note that you cannot use your browser to replicate this
> behavior as all the browsers I have tried scrub the traversals off the
> front of the URL and just send the remaining string, since they know
> such URLs are invalid.
> You can also reproduce with python and urllib.
> import urllib
> f = urllib.urlopen("http://localhost:8080/../../../../../../etc/hosts";)
> print f.read()
> This may be the hudson app not handling URL strings that start with
> traversals correctly, but the app should never receive such a URL in
> the first place, as the scrubbing should be handled by the JEE container.