struts-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Lukasz Lenart (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (WW-4601) webconsole can always be accessed
Date Fri, 08 Jul 2016 04:51:11 GMT

    [ https://issues.apache.org/jira/browse/WW-4601?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15367220#comment-15367220
] 

Lukasz Lenart commented on WW-4601:
-----------------------------------

[~montri.m] yes, you can hide it, just implement your own {{StaticContentLoader}} like this
{code:java}
public class MyStaticContentLoader extends DefaultStaticContentLoader {

    @Override
    protected String getAdditionalPackages() {
        return "org.apache.struts2.static template static");
    }

}
{code}

and then in {{struts.xml}}

{code:xml}
<bean type="org.apache.struts2.dispatcher.StaticContentLoader" class="MyStaticContentLoader"
name="myLoader" />
<constant name="struts.staticContentLoader" value="myLoader" />
{code}

all is here https://struts.apache.org/docs/static-content.html

> webconsole can always be accessed
> ---------------------------------
>
>                 Key: WW-4601
>                 URL: https://issues.apache.org/jira/browse/WW-4601
>             Project: Struts 2
>          Issue Type: Bug
>            Reporter: Alireza Fattahi
>            Assignee: Lukasz Lenart
>             Fix For: 2.3.31, 2.5.3
>
>
> It is possible that you get the webconsole.html in dev without having debug in the stack
trace
> I found that you can access /stuts/webconsole.html to see this html.  For example (thanks
jgeppert! ) :
> {code}
> http://struts.jgeppert.com/struts2-jquery-showcase/struts/webconsole.html
> {code}
> I wonder if this should be fixed and if this can be used for attackers.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message