-
Notifications
You must be signed in to change notification settings - Fork 1.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SymlinkAllowedResourceAliasChecker is initialized after checkAlias is called resulting that access to resource is denied #8296
Comments
@jlindman thanks for the reproducer. I think what you are doing by adding an alias checker for the link handler onto your webapp is wrong. This is related to the recent rework of the alias checkers into
I would have expected the alias checkers would not be applied for explicit calls to the getResource api and only needed through default servlet and resource handler. So we will need to review this. |
Signed-off-by: Lachlan Roberts <lachlan@webtide.com>
Signed-off-by: Lachlan Roberts <lachlan@webtide.com>
…Handler.doStart() Signed-off-by: Lachlan Roberts <lachlan@webtide.com>
There are fixes for this merged with PR #8315, this will be available in a 10.0.12/11.0.12 release. |
Jetty version(s)
11.0.8-11.0.11
Java version/vendor
(use: java -version)
openjdk version "17.0.3" 2022-04-19
OS type/version
Ubuntu 20.04.4 LTS
Description
I have a JAX-WS application that reads the configuration file /WEB-INF/sun-jaxws.xml.
When the WEB-INF directory is inside a directory that is a symlink the sun-jaxws.xml file cannot be retrieved since is not allowed because the WEB-INF directory is protected.
This results in the following error:
SEVERE: WSSERVLET11: failed to parse runtime descriptor: jakarta.xml.ws.WebServiceException: Runtime descriptor "/WEB-INF/sun-jaxws.xml" is missing
Adding below works with Jetty 11.0.7 (where
webapp
is a symlink):However, with Jetty 11.0.8 this stopped working. It looks like the initialization of the AllowedResourceAliasChecker is now done too late(?). The resource base seems to be null when
aliasCheck
is made.With 11.0.8 the resource base is null for the SymlinkAllowedResourceAliasChecker objects (which was not the case for 11.0.7).
In ContentHandler.checkAlias():1967
Stacktrace:
This can possibly be related to #8259
Here is a sample maven application that reproduces the behavior: symlinktest.tar.gz
The text was updated successfully, but these errors were encountered: