From c36bfeced34a34638e363461cea0804da6dbc5c3 Mon Sep 17 00:00:00 2001
From: James Moger <james.moger@gitblit.com>
Date: Thu, 21 May 2015 21:38:32 -0400
Subject: [PATCH] Merged #248 "Deny access to /com/* url path"

---
 src/main/java/com/gitblit/guice/WebModule.java |   30 ++++++++++++++++++++++++------
 1 files changed, 24 insertions(+), 6 deletions(-)

diff --git a/src/main/java/com/gitblit/guice/WebModule.java b/src/main/java/com/gitblit/guice/WebModule.java
index b4f9899..c6172c3 100644
--- a/src/main/java/com/gitblit/guice/WebModule.java
+++ b/src/main/java/com/gitblit/guice/WebModule.java
@@ -19,19 +19,26 @@
 import java.util.Map;
 
 import com.gitblit.Constants;
+import com.gitblit.servlet.AccessDeniedServlet;
 import com.gitblit.servlet.BranchGraphServlet;
+import com.gitblit.servlet.DownloadZipFilter;
 import com.gitblit.servlet.DownloadZipServlet;
 import com.gitblit.servlet.EnforceAuthenticationFilter;
 import com.gitblit.servlet.FederationServlet;
+import com.gitblit.servlet.GitFilter;
 import com.gitblit.servlet.GitServlet;
 import com.gitblit.servlet.LogoServlet;
+import com.gitblit.servlet.PagesFilter;
 import com.gitblit.servlet.PagesServlet;
 import com.gitblit.servlet.ProxyFilter;
 import com.gitblit.servlet.PtServlet;
+import com.gitblit.servlet.RawFilter;
 import com.gitblit.servlet.RawServlet;
 import com.gitblit.servlet.RobotsTxtServlet;
+import com.gitblit.servlet.RpcFilter;
 import com.gitblit.servlet.RpcServlet;
 import com.gitblit.servlet.SparkleShareInviteServlet;
+import com.gitblit.servlet.SyndicationFilter;
 import com.gitblit.servlet.SyndicationServlet;
 import com.gitblit.wicket.GitblitWicketFilter;
 import com.google.common.base.Joiner;
@@ -64,17 +71,28 @@
 		serve("/robots.txt").with(RobotsTxtServlet.class);
 		serve("/logo.png").with(LogoServlet.class);
 
+		/* Prevent accidental access to 'resources' such as GitBlit java classes
+		 *
+		 * In the GO setup the JAR containing the application and the WAR injected
+		 * into Jetty are the same file. However Jetty expects to serve the entire WAR
+		 * contents, except the WEB-INF folder. Thus, all java binary classes in the
+		 * JAR are served by default as is they were legitimate resources.
+		 *
+		 * The below servlet mappings prevent that behavior
+		 */
+		serve(fuzzy("/com/")).with(AccessDeniedServlet.class);
+
 		// global filters
 		filter(ALL).through(ProxyFilter.class);
 		filter(ALL).through(EnforceAuthenticationFilter.class);
 
 		// security filters
-//		filter(fuzzy(Constants.R_PATH), fuzzy(Constants.GIT_PATH)).through(GitFilter.class);
-//		filter(fuzzy(Constants.RAW_PATH)).through(RawFilter.class);
-//		filter(fuzzy(Constants.PAGES)).through(PagesFilter.class);
-//		filter(fuzzy(Constants.RPC_PATH)).through(RpcFilter.class);
-//		filter(fuzzy(Constants.ZIP_PATH)).through(DownloadZipFilter.class);
-//		filter(fuzzy(Constants.SYNDICATION_PATH)).through(SyndicationFilter.class);
+		filter(fuzzy(Constants.R_PATH), fuzzy(Constants.GIT_PATH)).through(GitFilter.class);
+		filter(fuzzy(Constants.RAW_PATH)).through(RawFilter.class);
+		filter(fuzzy(Constants.PAGES)).through(PagesFilter.class);
+		filter(fuzzy(Constants.RPC_PATH)).through(RpcFilter.class);
+		filter(fuzzy(Constants.ZIP_PATH)).through(DownloadZipFilter.class);
+		filter(fuzzy(Constants.SYNDICATION_PATH)).through(SyndicationFilter.class);
 
 		// Wicket
 		String toIgnore = Joiner.on(",").join(Constants.R_PATH, Constants.GIT_PATH, Constants.RAW_PATH,

--
Gitblit v1.9.1