• Bug
  • Status: Closed
  • 2 Major
  • Resolution: Fixed
  • drb
  • Reporter: thrytis
  • August 15, 2008
  • 0
  • Watchers: 0
  • July 27, 2012
  • August 18, 2008

Description

The terracotta server allows remote users to access local files via the internal Jetty server. This can be reproduced by running the $TC_HOME/bin/start-tc-server.sh to start the server (using the default config is fine) and pointing a web browser at http://:9510/. You will see a list of all files in the directory you were in when you started the server, as well as view any files in that directory or any subdirectories. Your jmx passwords can be viewed this way if they are in the same directory that you start the server from.

I could find no way to modify this behavior from the configuration files. As a workaround, you could start the server from an empty directory and configure logs and data to go to directories in a different path.

This bug is because jetty by default enables the DefaultServlet on the root context. This is controlled by the webdefault.xml file found in the jetty jar. This behavior can be disabled by setting the defaults descriptor used by jetty to null in code/base/deploy/src/com/tc/server/TCServerImpl.java, method startHTTPServer(…), adding the line:

context.setDefaultsDescriptor(null);

immediately after creating the context object.

I found the bug working in 2.5.1 and 2.5.4, so it is likely in all 2.5.x releases. I was not able to reproduce this in the 2.6.2 release. It was likely resolved in 2.6 as a side effect when the initialization of the jetty server was significantly changed.

Comments