Internal jetty server allows anonymous access to local files
------------------------------------------------------------

                 Key: CDV-852
                 URL: https://jira.terracotta.org/jira//browse/CDV-852
             Project: Community Development
          Issue Type: Bug
    Affects Versions: 2.5.4, 2.5.1
            Reporter: Eric Green
            Assignee: Issue Review Board


The terracotta server allows remote users to access local files via the 
internal Jetty server.  This can be reproduced by running the 
$TC_HOME/bin/start-tc-server.sh to start the server (using the default config 
is fine) and pointing a web browser at http://<host>:9510/.  You will see a 
list of all files in the directory you were in when you started the server, as 
well as view any files in that directory or any subdirectories.  Your jmx 
passwords can be viewed this way if they are in the same directory that you 
start the server from.

I could find no way to modify this behavior from the configuration files.  As a 
workaround, you could start the server from an empty directory and configure 
logs and data to go to directories in a different path.

This bug is because jetty by default enables the DefaultServlet on the root 
context.  This is controlled by the webdefault.xml file found in the jetty jar. 
 This behavior can be disabled by setting the defaults descriptor used by jetty 
to null in code/base/deploy/src/com/tc/server/TCServerImpl.java, method 
startHTTPServer(...), adding the line:

context.setDefaultsDescriptor(null);

immediately after creating the context object.

I found the bug working in 2.5.1 and 2.5.4, so it is likely in all 2.5.x 
releases.  I was not able to reproduce this in the 2.6.2 release.  It was 
likely resolved in 2.6 as a side effect when the initialization of the jetty 
server was significantly changed.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: 
https://jira.terracotta.org/jira//secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        
_______________________________________________
tc-dev mailing list
tc-dev@lists.terracotta.org
http://lists.terracotta.org/mailman/listinfo/tc-dev
  • [tc-dev] [JIRA] Created: (CDV-... Terracotta JIRA (on behalf of Eric Green)

Reply via email to