1. Jetty
  2. JETTY-1004

Vulnerability in ResourceHandler and DefaultServlet with aliases


    • Type: Bug Bug
    • Status: Resolved Resolved
    • Priority: Blocker Blocker
    • Resolution: Fixed
    • Affects Version/s: 6.1.16
    • Fix Version/s: 6.1.17
    • Component/s: Servlet
    • Labels:
    • Number of attachments :


      A security vulnerability has been discovered in jetty that affects
      all version of Jetty up to and including jetty 6.1.16 and 7.0.0.M2
      On a vulnerable server, a crafted URL may access files outside of
      the web application or document tree.

      To be vulnerable to this issue, you must EITHER:

      • be using the DefaultServlet with support for aliases
        explicitly turned on.


      • be using the ResourceHandler class to serve static content.

      Furthermore, on unix systems, system are only vulnerable if directory
      with a name ending with the character '?' to exist in the webapp or
      docroot. On unix, this is an unlikely situation.

      On windows systems, this directory does not need to exist, so
      the vulnerability requires only a single change from the default

      The default configuration of webapplications is not vulnerable
      and if you have not edited the webdefault.xml file, then your
      application should not be affected.

      This issue has been assigned CERT advisory number VU#402580

      A 6.1.17 release will be available shortly with this vulnerability
      closed. Some immediate preventative actions are listed below.

      If you are not using the ResourceHandler, then you should
      confirm that your jetty instance is running with
      the Default servlet "aliases" initParam set to "false".
      You will find this setting in either your application's
      web.xml or the etc/webdefault.xml. If it is not set,
      then it takes the default, safe, value of "false".
      You should also check that the
      system property is either not set, or set to true.

      If you are using the ResourceHandler, then you can secure your
      system against this vulnerability by compiling the source
      at the bottom of this message against the version of Jetty
      that you are using. Use an instance of this class instead
      of the ResourceHandler

      If you have any questions about this, please do not
      hesitate to ask the jetty team


      package org.mortbay.jetty.cert;
      import org.mortbay.jetty.handler.ResourceHandler;
      import org.mortbay.resource.Resource;
      import org.mortbay.util.StringUtil;
      import org.mortbay.util.URIUtil;
      public class TempFixResourceHandler extends ResourceHandler
      public Resource getResource(String path) throws MalformedURLException
      if (path!=null && path.indexOf('?')>=0)

      { path=URIUtil.decodePath(URIUtil.canonicalPath(StringUtil.replace(path,"?","%3F"))); if (path==null) return null; }

      return super.getResource(path);

        Issue Links



            • Assignee:
              Greg Wilkins
              Greg Wilkins


              • Created: