You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Now that jetty/jetty.project#8259 is fixed and incorporated to Bootique, let's test the issue and change AllowSymLinkAliasChecker back to the default SymlinkAllowedResourceAliasChecker. This would result in better Jetty security and will get rid of the warning in the logs:
WARN o.e.j.s.h.AllowSymLinkAliasChecker: Deprecated, use SymlinkAllowedResourceAliasChecker instead.
The text was updated successfully, but these errors were encountered:
Also discovered the fact that Bootique-installed DefaultServlet is immune to this problem because its factory canonicalizes resource base, implicitly resolving symlinks. It only happens when DefaultServlet is added manually with "resourceBase" containing a symlink.
To improve security, we should switch back to the default SymlinkAllowedResourceAliasChecker, and then deal with the rare fallout with one of these approaches:
Advise users to "canonicalize" their resource bases configured outside of Bootique static servlets API
Provide explicit API (extender, or likely YAML config) to register known roots with the alias checker
Now that jetty/jetty.project#8259 is fixed and incorporated to Bootique, let's test the issue and change
AllowSymLinkAliasChecker
back to the defaultSymlinkAllowedResourceAliasChecker
. This would result in better Jetty security and will get rid of the warning in the logs:The text was updated successfully, but these errors were encountered: