search

gitblit-org / gitblit

pure java git solution
http://gitblit.com
Apache License 2.0
2.28k stars 670 forks source link

directory traversal in gitblit v1.9.2 #1409

Closed xxcdd closed 1 year ago

xxcdd commented 2 years ago

When i request GET /resources//../WEB-INF/web.xml using burp suite, i get the raw content of web.xml GET /resources//../ can get all files in Directory: /resources/

This can cause security issue, hope to fix it.

flaix commented 1 year ago

This is resolved by updating Jetty to the latest version. At least I could not reproduce it after updating the embedded Jetty.