[
https://issues.jenkins-ci.org/browse/JENKINS-11538?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=161393#comment-161393
]
dogfood commented on JENKINS-11538:
-----------------------------------
Integrated in !http://ci.jenkins-ci.org/images/16x16/yellow.png!
[jenkins_main_trunk #1649|http://ci.jenkins-ci.org/job/jenkins_main_trunk/1649/]
[FIXED JENKINS-11538] integrated Stapler 1.187 that contains the fix.
(Revision 9acf12f7976bd97bfa125e4b715ae340be8c1715)
Result = UNSTABLE
Kohsuke Kawaguchi :
[9acf12f7976bd97bfa125e4b715ae340be8c1715|https://github.com/jenkinsci/jenkins/commit/9acf12f7976bd97bfa125e4b715ae340be8c1715]
Files :
* core/pom.xml
> Jenkins serves existing files regardless of security
> ----------------------------------------------------
>
> Key: JENKINS-11538
> URL: https://issues.jenkins-ci.org/browse/JENKINS-11538
> Project: Jenkins
> Issue Type: Bug
> Components: security, www
> Affects Versions: current
> Environment: Jenkins 1.436, Windows 7 64-bit SP1, build-in Winstone
> servlet engine 0.9.10
> Reporter: Steve Betts
> Priority: Critical
>
> an url of the form (note the dot): https:/<server>/WEB-INF./web.xml will
> return the file, even with security turned on and the client unauthenticated.
> As will any other url that references a valid filename with a '.' after the
> first directory name, such as https://<server>/scripts./behavior.js.
> these behaviors are considered culnerabilites by our large corporation.
> http://xforce.iss.net/xforce/xfdb/9446
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1858
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.jenkins-ci.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
