From e5227a46f4405dd8bfcc1582356f8e12d1e928c0 Mon Sep 17 00:00:00 2001
From: Jean-Baptiste Mayer <jean-baptiste.mayer@m4x.org>
Date: Tue, 14 Apr 2015 17:33:02 -0400
Subject: [PATCH] Deny access to /com and /org folders in GO setup

---
 src/main/java/com/gitblit/guice/WebModule.java |   21 ++++++++++++++++++++-
 1 files changed, 20 insertions(+), 1 deletions(-)

diff --git a/src/main/java/com/gitblit/guice/WebModule.java b/src/main/java/com/gitblit/guice/WebModule.java
index 5b56918..4a0cfcd 100644
--- a/src/main/java/com/gitblit/guice/WebModule.java
+++ b/src/main/java/com/gitblit/guice/WebModule.java
@@ -19,6 +19,7 @@
 import java.util.Map;
 
 import com.gitblit.Constants;
+import com.gitblit.servlet.AccessDeniedServlet;
 import com.gitblit.servlet.BranchGraphServlet;
 import com.gitblit.servlet.DownloadZipFilter;
 import com.gitblit.servlet.DownloadZipServlet;
@@ -52,6 +53,11 @@
 public class WebModule extends ServletModule {
 
 	final static String ALL = "/*";
+	private boolean isGO;
+
+	public WebModule(boolean isGO) {
+		this.isGO=isGO;
+	}
 
 	@Override
 	protected void configureServlets() {
@@ -69,7 +75,20 @@
 		serve(Constants.PT_PATH).with(PtServlet.class);
 		serve("/robots.txt").with(RobotsTxtServlet.class);
 		serve("/logo.png").with(LogoServlet.class);
-
+		if(isGO)
+		{
+			/* Prevent accidental access to 'resources' such as GitBlit java classes
+			 *
+			 * In the GO setup the JAR containing the application and the WAR injected
+			 * into Jetty are the same file. However Jetty expects to serve the entire WAR
+			 * contents, except the WEB-INF folder. Thus, all java binary classes in the
+			 * JAR are served by default as is they were legitimate resources.
+			 *
+			 * The below servlet mappings prevent that behavior
+			 */
+			serve(fuzzy("/com/")).with(AccessDeniedServlet.class);
+			serve(fuzzy("/org/")).with(AccessDeniedServlet.class);
+		}
 		// global filters
 		filter(ALL).through(ProxyFilter.class);
 		filter(ALL).through(EnforceAuthenticationFilter.class);

--
Gitblit v1.9.1