[Jetty-support] Release 5.1.6 (JSP+windows security fix).

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

[Jetty-support] Release 5.1.6 (JSP+windows security fix).

Greg Wilkins-5

Jetty release 5.1.6 is now available via http://jetty.mortbay.org.

This release fixes a security vulnerability with JSP and Windows that
allows the source of a JSP file to be viewed.   This issue appears to
exist in all previous version of jetty.

Unix platforms are not affected.

If you are running on windows and use JSPs, then it is advisable
to update to 5.1.6 to protect your JSPs from inspection (and possible
discovery of application vulnerabilities).  Alternately, the attached
filter may be deployed in existing Jetty releases to protect from this
issue.

Jetty-5.1.6 - 18 November 2005
 + Fixed JSP visibility security issue.
 + Improved jetty-web.xml access to org.mortbay classes.








import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

/* Fix5CFilter.
 *
 * Configure with:
 *
  <filter>
    <filter-name>Fix5C</filter-name>
    <filter-class>Fix5CFilter</filter-class>
  </filter>

  <filter-mapping>
    <filter-name>Fix5C</filter-name>
    <servlet-name>default</servlet-name>
  </filter-mapping>
 */
public class Fix5CFilter implements Filter
{

    public void init(FilterConfig filterConfig) throws ServletException
    {
    }

    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException
    {
        if (((HttpServletRequest)request).getRequestURI().endsWith("%5c") ||
            ((HttpServletRequest)request).getRequestURI().endsWith("%5C"))
        {
            ((HttpServletResponse)response).sendError(403);
        }
        else
        {
            chain.doFilter(request, response);
        }
    }

    public void destroy()
    {
    }

}
Reply | Threaded
Open this post in threaded view
|

Re: [Jetty-support] Release 5.1.6 (JSP+windows security fix).

ybx123
Can someone describe the details of how to apply the fix? A detailed step-by-step instruction would be appreciated!

Gregw wrote
Jetty release 5.1.6 is now available via http://jetty.mortbay.org.

This release fixes a security vulnerability with JSP and Windows that
allows the source of a JSP file to be viewed.   This issue appears to
exist in all previous version of jetty.

Unix platforms are not affected.

If you are running on windows and use JSPs, then it is advisable
to update to 5.1.6 to protect your JSPs from inspection (and possible
discovery of application vulnerabilities).  Alternately, the attached
filter may be deployed in existing Jetty releases to protect from this
issue.

Jetty-5.1.6 - 18 November 2005
 + Fixed JSP visibility security issue.
 + Improved jetty-web.xml access to org.mortbay classes.








import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

/* Fix5CFilter.
 *
 * Configure with:
 *
  <filter>
    <filter-name>Fix5C</filter-name>
    <filter-class>Fix5CFilter</filter-class>
  </filter>

  <filter-mapping>
    <filter-name>Fix5C</filter-name>
    <servlet-name>default</servlet-name>
  </filter-mapping>
 */
public class Fix5CFilter implements Filter
{

    public void init(FilterConfig filterConfig) throws ServletException
    {
    }

    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException
    {
        if (((HttpServletRequest)request).getRequestURI().endsWith("%5c") ||
            ((HttpServletRequest)request).getRequestURI().endsWith("%5C"))
        {
            ((HttpServletResponse)response).sendError(403);
        }
        else
        {
            chain.doFilter(request, response);
        }
    }

    public void destroy()
    {
    }

}