Added note for CVE-2016-4800 and several small grammatical clean ups.

Signed-off-by: WalkerWatch <ctwalker@gmail.com>
2016-05-31 19:39:58 -04:00 · 2016-05-31 19:39:58 -04:00 · 2508d73a94
parent 89232a6207
commit 2508d73a94
4 changed files with 23 additions and 21 deletions
--- a/jetty-documentation/src/main/asciidoc/configuring/deploying/anatomy-of-a-webapp.adoc
+++ b/jetty-documentation/src/main/asciidoc/configuring/deploying/anatomy-of-a-webapp.adoc
@ -27,7 +27,6 @@ Web Applications can be bundled into a single Web Archive (WAR file) or as a dir

 `/WEB-INF/`::
  Special Servlet API defined directory used to store anything related to the Web Application that are not part of the public access of the Web Application.
-  
  If there is content that is accessed by a Web Application internally, but that should also never be accessed directly by a web browser, this is the directory it would placed in.
  
 `/WEB-INF/web.xml`::
--- a/jetty-documentation/src/main/asciidoc/configuring/deploying/deployment-processing-webapps.adoc
+++ b/jetty-documentation/src/main/asciidoc/configuring/deploying/deployment-processing-webapps.adoc
@ -52,15 +52,15 @@ META-INF/web-fragment.xml

 ===== Anatomy of a Configuration Class

-A Configuration class is called 5 times in different phases of the WebAppContext's lifecycle:
+A Configuration class is called 5 times in different phases of the `WebAppContext's` lifecycle:

 preConfigure::
-  As the WebAppContext is starting up this phase is executed. 
-  The Configuration should discover any of the resources it will need during the subsequent phases.
+  As the `WebAppContext` is starting up this phase is executed. 
+  The `Configuration` should discover any of the resources it will need during the subsequent phases.
 configure::
-  This phase is where the work of the class is done, usually using the resources discovered during the preConfigure phase.
+  This phase is where the work of the class is done, usually using the resources discovered during the `preConfigure` phase.
 postConfigure::
-  This phase allows the Configuration to clear down any resources that may have been created during the previous 2 phases that are not needed for the lifetime of the `WebAppContext`.
+  This phase allows the `Configuration` to clear down any resources that may have been created during the previous 2 phases that are not needed for the lifetime of the `WebAppContext`.
 deconfigure::
  This phase occurs whenever a `WebAppContext` is being stopped and allows the Configuration to undo any resources/metadata that it created. 
  A `WebAppContext` should be able to be cleanly start/stopped multiple times without resources being held.
@ -68,8 +68,8 @@ destroy::
  This phase is called when a `WebAppContext` is actually removed from service. 
  For example, the war file associated with it is deleted from the $JETTY_HOME/webapps directory.

-Each phase is called on each Configuration class in the order in which the `Configuration` class is listed. 
-Using the default Configuration classes as an example, preConfigure() will be called on `WebInfConfiguration`, `WebXmlConfiguration`, `MetaInfConfiguration`, `FragmentConfiguration` and then `JettyWebXmlConfiguration`. 
+Each phase is called on each `Configuration` class in the order in which the `Configuration` class is listed. 
+Using the default `Configuration` classes as an example, `preConfigure()` will be called on `WebInfConfiguration`, `WebXmlConfiguration`, `MetaInfConfiguration`, `FragmentConfiguration` and then `JettyWebXmlConfiguration`. 
 The cycle begins again for the `configure()` phase and again for the `postConfigure()` phases. 
 The cycle is repeated _in reverse order_ for the `deconfigure()` and eventually the `destroy()` phases.

@ -96,10 +96,10 @@ To achieve that, we use 2 extra Configurations:
 [cols=",",]
 |=======================================================================
 |link:{JDURL}/org/eclipse/jetty/plus/webapp/EnvConfiguration.html[org.eclipse.jetty.plus.webapp.EnvConfiguration]
-|Creates java:comp/env for the webapp, applies a WEB-INF/jetty-env.xml file
+|Creates `java:comp/env` for the webapp, applies a `WEB-INF/jetty-env.xml` file

 |link:{JDURL}/org/eclipse/jetty/plus/webapp/PlusConfiguration.html[org.eclipse.jetty.plus.webapp.PlusConfiguration]
-|Processes JNDI related aspects of WEB-INF/web.xml and hooks up naming entries
+|Processes JNDI related aspects of `WEB-INF/web.xml` and hooks up naming entries
 |=======================================================================

 These configurations must be added in _exactly_ the order shown above and should be inserted _immediately before_ the link:{JDURL}/org/eclipse/jetty/webapp/JettyWebXmlConfiguration.html[org.eclipse.jetty.webapp.JettyWebXmlConfiguration] class in the list of configurations. 
@ -117,7 +117,7 @@ We need just one extra Configuration class to help provide servlet annotation sc
@WebListener etc
 |=======================================================================

-The above configuration class must be _inserted immediately before_ the link:{JDURL}/org/eclipse/jetty/webapp/JettWebXmlConfiguration.html[org.eclipse.jetty.webapp.JettyWebXmlConfiguration] class in the list of configurations. 
+The above configuration class must be _inserted immediately before_ the link:{JDURL}/org/eclipse/jetty/webapp/JettyWebXmlConfiguration.html[org.eclipse.jetty.webapp.JettyWebXmlConfiguration] class in the list of configurations. 
 To fully support annotations, you need to do a couple of other things, details of which can be found below.

 ===== How to Set the List of Configurations
@ -204,7 +204,7 @@ They will then be applied to each `WebAppContext` deployed by the deployer:

 Instead of having to enumerate the list in its entirety, you can simply nominate classes that you want to add, and indicate whereabouts in the list you want them inserted. 
 Let's look at an example of using this method to add in Configuration support for JNDI - as usual you can either do this in an xml file, or via equivalent code. 
-This example uses an xml file, in fact it is the $JETTY_HOME/etc/jetty-plus.xml file from the Jetty distribution:
+This example uses an xml file, in fact it is the `$JETTY_HOME/etc/jetty-plus.xml` file from the Jetty distribution:

 [source,xml]
 ----
@ -235,9 +235,9 @@ This example uses an xml file, in fact it is the $JETTY_HOME/etc/jetty-plus.xml
 The link:{JDURL}/org/eclipse/jetty/webapp/Configuration.html[org.eclipse.jetty.webapp.Configuration.ClassList] class provides these methods for insertion:

 addAfter::
-  Inserts the supplied list of Configuration class names after the given Configuration class name.
+  Inserts the supplied list of `Configuration` class names after the given Configuration class name.
 addBefore::
-  Inserts the supplied list of Configuration class names before the given Configuration class name.
+  Inserts the supplied list of `Configuration` class names before the given Configuration class name.

 [[webapp-context-attributes]]
 ==== Other Configuration
@ -280,7 +280,7 @@ Similarly to the previous link:#context_attributes[context attribute], this attr
 However, this attribute controls which jars from the _webapp's_ classpath (usually `WEB-INF/lib`) are processed. 
 This can be particularly useful when you have dozens of jars in `WEB-INF/lib`, but you know that only a few need to be scanned.

-Here's an example in a xml file of a pattern that matches any jar that starts with "spring-":
+Here's an example in a xml file of a pattern that matches any jar that starts with `spring-`:

 [source,xml]
 ----
--- a/jetty-documentation/src/main/asciidoc/quick-start/configuring/what-to-configure.adoc
+++ b/jetty-documentation/src/main/asciidoc/quick-start/configuring/what-to-configure.adoc
@ -187,8 +187,8 @@ If you need to configure something within a web application, often you do so by
 However, both the servlet standard and some Jetty features allow for other configuration to be applied to a web
 application externally from the WAR:

-* You configure datasources and security realms in the server and inject them into a web application either explicitly or by name matching.
-* Jetty allows one or more override deployment descriptors, in `web.xml` format, to be set on a context (via code or IoC XML) to amend the configuration set by the default and standard ` web.xml`.
+* You configure data sources and security realms in the server and inject them into a web application either explicitly or by name matching.
+* Jetty allows one or more override deployment descriptors, in `web.xml` format, to be set on a context (via code or IoC XML) to amend the configuration set by the default and standard `web.xml`.
 * The normal Jetty Java API may be called by code or IoC XML to amend the configuration of a web application.

 ===== Setting the Context Path
@ -232,7 +232,7 @@ An example of setting the context path is included with the Jetty distribution i

 ===== Setting an Authentication Realm

-The authentication method and realm name for a standard web application may be set in the ` web.xml` deployment descriptor with elements like:
+The authentication method and realm name for a standard web application may be set in the `web.xml` deployment descriptor with elements like:

 [source,xml]
 ----
--- a/jetty-documentation/src/main/asciidoc/reference/troubleshooting/security-reports.adoc
+++ b/jetty-documentation/src/main/asciidoc/reference/troubleshooting/security-reports.adoc
@ -23,6 +23,9 @@ The following sections provide information about Jetty security issues.
 [width="99%",cols="11%,19%,14%,9%,14%,14%,19%",options="header",]
 |=======================================================================
 |yyyy/mm/dd |ID |Exploitable |Severity |Affects |Fixed Version |Comment
+|2016/05/31 |CVE-2016-4800 |high |high |>= 9.3.0, < = 9.3.8 |9.3.9
+|http://www.ocert.org/advisories/ocert-2016-001.html[Alias vulnerability allowing access to protected resources within a webapp on Windows.]
+
 |2015/02/24 |CVE-2015-2080 |high |high |>=9.2.3 <9.2.9 |9.2.9
 |http://blog.gdssecurity.com/labs/2015/2/25/jetleak-vulnerability-remote-leakage-of-shared-buffers-in-je.html[JetLeak exposure of past buffers during HttpParser error]

@ -34,7 +37,7 @@ https://bugs.eclipse.org/bugs/show_bug.cgi?id=418014[418014] |Alias checking dis
 |https://bugs.eclipse.org/bugs/show_bug.cgi?id=413684[413684] |low
 |medium |>=7.6.9 <9.0.5 |7.6.13,8.1.13,9.0.5
 https://bugs.eclipse.org/bugs/show_bug.cgi?id=413684[413684]
-|Constraints bypassed if unix symlink alias checker used on windows
+|Constraints bypassed if Unix symlink alias checker used on Windows.

 |2011/12/29
 |http://www.ocert.org/advisories/ocert-2011-003.html[CERT2011-003] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4461[CVE-2011-4461]
@ -49,11 +52,11 @@ around by turning off SSL renegotiation in Jetty. If using JVM > 1.6u19
 setAllowRenegotiate(true) may be called on connectors.

 |2009/06/18 |http://jira.codehaus.org/browse/JETTY-1042[Jetty-1042] |low
-|high |<=6.1.18, <=7.0.0.M4 |6.1.19, 7.0.0.Rc0 |Cookie leak between
+|high |< = 6.1.18, < = 7.0.0.M4 |6.1.19, 7.0.0.Rc0 |Cookie leak between
 requests sharing a connection.

 |2009/04/30 |http://www.kb.cert.org/vuls/id/402580[CERT402580] |medium
-|high |<=6.1.16, <=7.0.0.M2 a|
+|high |< = 6.1.16, < = 7.0.0.M2 a|
 5.1.15, 6.1.18, 7.0.0.M2

 http://jira.codehaus.org/browse/JETTY-1004[Jetty-1004]