DefaultServlet is added by default if using a WebAppContext. Why? well, the WebAppContext loads the webdefault.xml from system resources, which has the DefaultServlet present. That same webdefault.xml has `dirAllowed` set to true by default.
The DefaultHandler is only present if you specifically set it up to use it. The jetty-home (and the older jetty-distribution) usages do set it up by default, but embedded-jetty has no such behavior. Joakim Erdfelt / [email protected] On Mon, Apr 22, 2019 at 4:11 PM <[email protected]> wrote: > Thank you for all of your excellent work over the years. > > I am using a customized, embedded version of Jetty (which is an OSS > project that I hope to publicly launch soon!) that does not use either one. > I’m ok, right? (Although it would not be a big deal to upgrade to the > latest Jetty, so maybe I should upgrade anyhow.) > > Thanks > > --Steve > > > > *From:* [email protected] <[email protected]> *On > Behalf Of *Chris Walker > *Sent:* Monday, April 22, 2019 11:32 > *To:* JETTY user mailing list <[email protected]>; Jetty @ Eclipse > developer discussion list <[email protected]>; > [email protected] > *Subject:* [jetty-users] Indexing/Listing Vulnerability in Jetty > > > > Hello! > > Greetings from the team at Webtide. We wanted to make you aware of a > vulnerability that was recently discovered in Jetty and reported as > CVE-2019-10241, CVE-2019-10246 and CVE-2019-10247. > > If you are using *DefaultServlet* or *ResourceHandler* with > indexing/listing, then you are vulnerable to a variant of XSS behaviors > surrounding the use of injected HTML element attributes on the parent > directory link. We recommend disabling indexing/listing or upgrading to a > non-vulnerable version. > > We have put together a blog post that contains more information on how to > disable indexing/listing, which can be found on the Webtide website. > > - https://webtide.com/indexing-listing-vulnerability/ > > Additionally, we discovered that usages of *DefaultHandler* were > susceptible to a similar leak of information. If no webapp was mounted on > the root "*/"* namespace, a page would be generated with links to other > namespaces. This has been the default behavior in Jetty for years, but we > have removed this to safeguard data. > > As a result of these CVEs, we have released new versions for the 9.2.x, > 9.3.x, and 9.4.x branches. The most up-to-date versions of all three are as > follows, and are available both on the Jetty website and Maven Central. > > Versions affected: > > - 9.2.26 and older (now EOL) > - 9.3.25 and older > - 9.4.15 and older > > Resolved: > > - 9.2.28.v20190418 > - 9.3.27.v20190418 > - 9.4.17.v20190418 > > Best Regards, > The Webtide Team > _______________________________________________ > jetty-users mailing list > [email protected] > To change your delivery options, retrieve your password, or unsubscribe > from this list, visit > https://www.eclipse.org/mailman/listinfo/jetty-users
_______________________________________________ jetty-users mailing list [email protected] To change your delivery options, retrieve your password, or unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-users
