From 63d368565277286e9b8fb0a0dd591dc0750f776a Mon Sep 17 00:00:00 2001
From: zzz <zzz@mail.i2p>
Date: Fri, 29 Jan 2010 13:55:16 +0000
Subject: [PATCH]     * Jetty: Turn on checkAliases

---
 installer/resources/wrapper.config         | 21 +++++++++++++--------
 router/java/src/net/i2p/router/Router.java |  6 ++++++
 2 files changed, 19 insertions(+), 8 deletions(-)

diff --git a/installer/resources/wrapper.config b/installer/resources/wrapper.config
index 3fbe0375e8..380f94bc62 100644
--- a/installer/resources/wrapper.config
+++ b/installer/resources/wrapper.config
@@ -57,18 +57,23 @@ wrapper.java.library.path.2=$INSTALL_PATH/lib
 # Numbers must be consecutive (except for stripquotes)
 wrapper.java.additional.1=-DloggerFilenameOverride=logs/log-router-@.txt
 wrapper.java.additional.2=-Dorg.mortbay.http.Version.paranoid=true
-wrapper.java.additional.3=-Dorg.mortbay.util.FileResource.checkAliases=false
-wrapper.java.additional.4=-Dorg.mortbay.xml.XmlParser.NotValidating=true
-wrapper.java.additional.5=-Di2p.dir.base="$INSTALL_PATH"
-wrapper.java.additional.5.stripquotes=TRUE
+wrapper.java.additional.3=-Dorg.mortbay.xml.XmlParser.NotValidating=true
+wrapper.java.additional.4=-Di2p.dir.base="$INSTALL_PATH"
+wrapper.java.additional.4.stripquotes=TRUE
+# Jetty says this is a security risk
+# Uncommenting this won't help as the router forces it to true
+# If you really need this, you have to set it in jetty.xml
+# somehow - not sure exactly but here's a clue:
+# org.mortbay.util.FileResource.setCheckAliases(false)
+# wrapper.java.additional.5=-Dorg.mortbay.util.FileResource.checkAliases=false
 # PORTABLE installation:
 # uncomment the following
-#wrapper.java.additional.6=-Di2p.dir.pid="$INSTALL_PATH"
+#wrapper.java.additional.5=-Di2p.dir.pid="$INSTALL_PATH"
+#wrapper.java.additional.5.stripquotes=TRUE
+#wrapper.java.additional.6=-Di2p.dir.temp="$INSTALL_PATH"
 #wrapper.java.additional.6.stripquotes=TRUE
-#wrapper.java.additional.7=-Di2p.dir.temp="$INSTALL_PATH"
+#wrapper.java.additional.7=-Di2p.dir.config="$INSTALL_PATH"
 #wrapper.java.additional.7.stripquotes=TRUE
-#wrapper.java.additional.8=-Di2p.dir.config="$INSTALL_PATH"
-#wrapper.java.additional.8.stripquotes=TRUE
 #
 # Uncomment this for better performance.
 # If it doesn't work, server mode is not available in your JVM.
diff --git a/router/java/src/net/i2p/router/Router.java b/router/java/src/net/i2p/router/Router.java
index 77a73f65a7..b730d6d4a8 100644
--- a/router/java/src/net/i2p/router/Router.java
+++ b/router/java/src/net/i2p/router/Router.java
@@ -105,6 +105,12 @@ public class Router {
         System.setProperty("user.timezone", "GMT");
         // just in case, lets make it explicit...
         TimeZone.setDefault(TimeZone.getTimeZone("GMT"));
+        // https://www.kb.cert.org/vuls/id/402580
+        // http://docs.codehaus.org/display/JETTY/SystemProperties
+        // Fixed in Jetty 5.1.15 but we are running 5.1.12
+        // The default is true, unfortunately it was previously
+        // set to false in wrapper.config thru 0.7.10 so we must set it back here.
+        System.setProperty("Dorg.mortbay.util.FileResource.checkAliases", "true");
     }
     
     public Router() { this(null, null); }
-- 
GitLab