githubFork/gitblit.git - Solinfo Gitblit

			@@ -53,11 +53,6 @@
			public class WebModule extends ServletModule {

			final static String ALL = "/*";
			private boolean isGO;

			public WebModule(boolean isGO) {
			this.isGO=isGO;
			}

			@Override
			protected void configureServlets() {
			@@ -75,20 +70,18 @@
			serve(Constants.PT_PATH).with(PtServlet.class);
			serve("/robots.txt").with(RobotsTxtServlet.class);
			serve("/logo.png").with(LogoServlet.class);
			if(isGO)
			{
			/* Prevent accidental access to 'resources' such as GitBlit java classes
			*
			* In the GO setup the JAR containing the application and the WAR injected
			* into Jetty are the same file. However Jetty expects to serve the entire WAR
			* contents, except the WEB-INF folder. Thus, all java binary classes in the
			* JAR are served by default as is they were legitimate resources.
			*
			* The below servlet mappings prevent that behavior
			*/
			serve(fuzzy("/com/")).with(AccessDeniedServlet.class);
			serve(fuzzy("/org/")).with(AccessDeniedServlet.class);
			}

			/* Prevent accidental access to 'resources' such as GitBlit java classes
			*
			* In the GO setup the JAR containing the application and the WAR injected
			* into Jetty are the same file. However Jetty expects to serve the entire WAR
			* contents, except the WEB-INF folder. Thus, all java binary classes in the
			* JAR are served by default as is they were legitimate resources.
			*
			* The below servlet mappings prevent that behavior
			*/
			serve(fuzzy("/com/")).with(AccessDeniedServlet.class);

			// global filters
			filter(ALL).through(ProxyFilter.class);
			filter(ALL).through(EnforceAuthenticationFilter.class);