[ https://issues.jenkins-ci.org/browse/JENKINS-11538?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=161851#comment-161851 ]
dogfood commented on JENKINS-11538: ----------------------------------- Integrated in !http://ci.jenkins-ci.org/images/16x16/blue.png! [jenkins_ui-changes_branch #21|http://ci.jenkins-ci.org/job/jenkins_ui-changes_branch/21/] [FIXED JENKINS-11538] integrated Stapler 1.187 that contains the fix. (Revision 9acf12f7976bd97bfa125e4b715ae340be8c1715) Result = SUCCESS Kohsuke Kawaguchi : [9acf12f7976bd97bfa125e4b715ae340be8c1715|https://github.com/jenkinsci/jenkins/commit/9acf12f7976bd97bfa125e4b715ae340be8c1715] Files : * core/pom.xml > Jenkins serves existing files regardless of security > ---------------------------------------------------- > > Key: JENKINS-11538 > URL: https://issues.jenkins-ci.org/browse/JENKINS-11538 > Project: Jenkins > Issue Type: Bug > Components: security, www > Affects Versions: current > Environment: Jenkins 1.436, Windows 7 64-bit SP1, build-in Winstone > servlet engine 0.9.10 > Reporter: Steve Betts > Priority: Critical > > an url of the form (note the dot): https:/<server>/WEB-INF./web.xml will > return the file, even with security turned on and the client unauthenticated. > As will any other url that references a valid filename with a '.' after the > first directory name, such as https://<server>/scripts./behavior.js. > these behaviors are considered culnerabilites by our large corporation. > http://xforce.iss.net/xforce/xfdb/9446 > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1858 -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jenkins-ci.org/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira