[tc-dev] [JIRA] Resolved: (CDV-852) Internal jetty server allows anonymous access to local files

Mon, 18 Aug 2008 16:01:34 -0700 

     [ 
https://jira.terracotta.org/jira//browse/CDV-852?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Fiona O'Shea resolved CDV-852.
------------------------------

    Fix Version/s: 2.6.2
       Resolution: Fixed

> Internal jetty server allows anonymous access to local files
> ------------------------------------------------------------
>
>                 Key: CDV-852
>                 URL: https://jira.terracotta.org/jira//browse/CDV-852
>             Project: Community Development
>          Issue Type: Bug
>    Affects Versions: 2.5.1, 2.5.4
>            Reporter: Eric Green
>            Assignee: Issue Review Board
>             Fix For: 2.6.2
>
>
> The terracotta server allows remote users to access local files via the 
> internal Jetty server.  This can be reproduced by running the 
> $TC_HOME/bin/start-tc-server.sh to start the server (using the default config 
> is fine) and pointing a web browser at http://<host>:9510/.  You will see a 
> list of all files in the directory you were in when you started the server, 
> as well as view any files in that directory or any subdirectories.  Your jmx 
> passwords can be viewed this way if they are in the same directory that you 
> start the server from.
> I could find no way to modify this behavior from the configuration files.  As 
> a workaround, you could start the server from an empty directory and 
> configure logs and data to go to directories in a different path.
> This bug is because jetty by default enables the DefaultServlet on the root 
> context.  This is controlled by the webdefault.xml file found in the jetty 
> jar.  This behavior can be disabled by setting the defaults descriptor used 
> by jetty to null in code/base/deploy/src/com/tc/server/TCServerImpl.java, 
> method startHTTPServer(...), adding the line:
> context.setDefaultsDescriptor(null);
> immediately after creating the context object.
> I found the bug working in 2.5.1 and 2.5.4, so it is likely in all 2.5.x 
> releases.  I was not able to reproduce this in the 2.6.2 release.  It was 
> likely resolved in 2.6 as a side effect when the initialization of the jetty 
> server was significantly changed.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: 
https://jira.terracotta.org/jira//secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        
_______________________________________________
tc-dev mailing list
tc-dev@lists.terracotta.org
http://lists.terracotta.org/mailman/listinfo/tc-dev

Reply via email to