Note regarding Jetty indexing bug

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Note regarding Jetty indexing bug

Cantor, Scott E.
If you're running Jetty this shouldn't be news since they sent it to the announce list, but they released patches for a directory indexing bug yesterday [1].

We'll be shipping a patched version in the next Windows patch that goes out for the embedded version, but we already had indexing disabled in the static content handler that's part of that package.

We do *not* automatically disable it for the IdP itself anywhere because it's a container-specific thing to do but I've updated the Jetty 9.3 and the newly posted 9.4 pages [2][3] with sections on one simple way to do it with just a web.xml modification. There are a variety of ways to do it in Jetty outlined in their page that would be outside the IdP for those who prefer that.

This sort of thing is strictly the responsibility of deployers, but I wanted to bring it to people's attention.

-- Scott

[1] https://webtide.com/indexing-listing-vulnerability-in-jetty/
[2] https://wiki.shibboleth.net/confluence/display/IDP30/Jetty93
[3] https://wiki.shibboleth.net/confluence/display/IDP30/Jetty94

--
To unsubscribe from this list send an email to [hidden email]