From 55c385e96e6594ec1ac3b5cd41ccd2df6048b696 Mon Sep 17 00:00:00 2001
From: James Moger <james.moger@gmail.com>
Date: Tue, 15 Sep 2015 07:42:11 -0400
Subject: [PATCH] Merge pull request #915 from lucamilanesio/lucene-5.2.1
---
src/main/java/com/gitblit/guice/WebModule.java | 17 +++++++++++++++++
1 files changed, 17 insertions(+), 0 deletions(-)
diff --git a/src/main/java/com/gitblit/guice/WebModule.java b/src/main/java/com/gitblit/guice/WebModule.java
index 5b56918..a406270 100644
--- a/src/main/java/com/gitblit/guice/WebModule.java
+++ b/src/main/java/com/gitblit/guice/WebModule.java
@@ -18,7 +18,9 @@
import java.util.HashMap;
import java.util.Map;
+import com.gitblit.AvatarGenerator;
import com.gitblit.Constants;
+import com.gitblit.servlet.AccessDeniedServlet;
import com.gitblit.servlet.BranchGraphServlet;
import com.gitblit.servlet.DownloadZipFilter;
import com.gitblit.servlet.DownloadZipServlet;
@@ -55,6 +57,10 @@
@Override
protected void configureServlets() {
+
+ // bind web component providers
+ bind(AvatarGenerator.class).toProvider(AvatarGeneratorProvider.class);
+
// servlets
serve(fuzzy(Constants.R_PATH), fuzzy(Constants.GIT_PATH)).with(GitServlet.class);
serve(fuzzy(Constants.RAW_PATH)).with(RawServlet.class);
@@ -70,6 +76,17 @@
serve("/robots.txt").with(RobotsTxtServlet.class);
serve("/logo.png").with(LogoServlet.class);
+ /* Prevent accidental access to 'resources' such as GitBlit java classes
+ *
+ * In the GO setup the JAR containing the application and the WAR injected
+ * into Jetty are the same file. However Jetty expects to serve the entire WAR
+ * contents, except the WEB-INF folder. Thus, all java binary classes in the
+ * JAR are served by default as is they were legitimate resources.
+ *
+ * The below servlet mappings prevent that behavior
+ */
+ serve(fuzzy("/com/")).with(AccessDeniedServlet.class);
+
// global filters
filter(ALL).through(ProxyFilter.class);
filter(ALL).through(EnforceAuthenticationFilter.class);
--
Gitblit v1.9.1