joakime commented on PR #308: URL: https://github.com/apache/felix-dev/pull/308#issuecomment-2438913766
Please ensure that your documentation on this points out ... 1. this is in direct violation of the Servlet 6 spec to enable this. 2. enabling this and can disable (well, "allow bypass of" is probably a better way to describe it) many security safeguards you have on your servlet webappl 3. there is no guarantee that it will work or be available in future Jetty EE releases (we're good for support in Jetty 12.1.x and ee11 btw). It is very possible that the Servlet spec itself puts these kinds of enforcement into the Servlet spec itself, making Jetty's ability to bypass this impossible in a future release. For point 2, if you enable this spec bypass, as a safeguard, do not put any content that you don't want people to access directly in the webapp in your WEB-INF directory. Also don't put raw JSP files in your WAR, make sure to precompile them into classes with no raw JSP files present. Don't get me wrong, Jetty will still make a best effort to prevent these kinds of access bypasses, but that's increasingly difficult, and the malicious actors are increasingly creative in this space, so don't let your guard down. Btw, this is a servlet spec specific concern. Using non-servlet Jetty Core, you do not have the issue requiring this bypass. Might be a good idea to document the types of URL that can trigger the need for this feature to be enabled, and provide alternative ways to define your URL space to not rely on these disallowed concepts in the servlet spec. Similar to what was done at https://github.com/jetty/jetty.project/issues/12346#issuecomment-2391677068 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@felix.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
