Jetty
 » 
Jetty - Announce

[Jetty-support] Release 5.1.6 (JSP+windows security fix).

View: New views
2 Messages — Rating Filter:   Alert me  

[Jetty-support] Release 5.1.6 (JSP+windows security fix).

by Gregw :: Rate this Message:

Reply (Restricted by the Administrator) | Reply to Author | View Threaded | Show Only this Message


Jetty release 5.1.6 is now available via http://jetty.mortbay.org.

This release fixes a security vulnerability with JSP and Windows that
allows the source of a JSP file to be viewed.   This issue appears to
exist in all previous version of jetty.

Unix platforms are not affected.

If you are running on windows and use JSPs, then it is advisable
to update to 5.1.6 to protect your JSPs from inspection (and possible
discovery of application vulnerabilities).  Alternately, the attached
filter may be deployed in existing Jetty releases to protect from this
issue.

Jetty-5.1.6 - 18 November 2005
 + Fixed JSP visibility security issue.
 + Improved jetty-web.xml access to org.mortbay classes.








import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

/* Fix5CFilter.
 *
 * Configure with:
 *
  <filter>
    <filter-name>Fix5C</filter-name>
    <filter-class>Fix5CFilter</filter-class>
  </filter>

  <filter-mapping>
    <filter-name>Fix5C</filter-name>
    <servlet-name>default</servlet-name>
  </filter-mapping>
 */
public class Fix5CFilter implements Filter
{

    public void init(FilterConfig filterConfig) throws ServletException
    {
    }

    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException
    {
        if (((HttpServletRequest)request).getRequestURI().endsWith("%5c") ||
            ((HttpServletRequest)request).getRequestURI().endsWith("%5C"))
        {
            ((HttpServletResponse)response).sendError(403);
        }
        else
        {
            chain.doFilter(request, response);
        }
    }

    public void destroy()
    {
    }

}

Re: [Jetty-support] Release 5.1.6 (JSP+windows security fix).

by ybx123 :: Rate this Message:

Reply (Restricted by the Administrator) | Reply to Author | View Threaded | Show Only this Message

Can someone describe the details of how to apply the fix? A detailed step-by-step instruction would be appreciated!

Gregw wrote:
Jetty release 5.1.6 is now available via http://jetty.mortbay.org.

This release fixes a security vulnerability with JSP and Windows that
allows the source of a JSP file to be viewed.   This issue appears to
exist in all previous version of jetty.

Unix platforms are not affected.

If you are running on windows and use JSPs, then it is advisable
to update to 5.1.6 to protect your JSPs from inspection (and possible
discovery of application vulnerabilities).  Alternately, the attached
filter may be deployed in existing Jetty releases to protect from this
issue.

Jetty-5.1.6 - 18 November 2005
 + Fixed JSP visibility security issue.
 + Improved jetty-web.xml access to org.mortbay classes.








import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

/* Fix5CFilter.
 *
 * Configure with:
 *
  <filter>
    <filter-name>Fix5C</filter-name>
    <filter-class>Fix5CFilter</filter-class>
  </filter>

  <filter-mapping>
    <filter-name>Fix5C</filter-name>
    <servlet-name>default</servlet-name>
  </filter-mapping>
 */
public class Fix5CFilter implements Filter
{

    public void init(FilterConfig filterConfig) throws ServletException
    {
    }

    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException
    {
        if (((HttpServletRequest)request).getRequestURI().endsWith("%5c") ||
            ((HttpServletRequest)request).getRequestURI().endsWith("%5C"))
        {
            ((HttpServletResponse)response).sendError(403);
        }
        else
        {
            chain.doFilter(request, response);
        }
    }

    public void destroy()
    {
    }

}
Free embeddable forum powered by Nabble Forum Help