tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Hans Bergsten <h...@gefionsoftware.com>
Subject Re: DefaultServlet path checks
Date Mon, 08 Nov 1999 01:08:31 GMT
Harish Prabandham wrote:
> 
> Hi,
> 
> Your fix sounds good... Does it address the case of a file that
> is named:
> 
> foo.Bar.goo and Foo.Bar.GOO & such similar variations....
> 
> .html and .htm variations etc....
> 
> If It does, please commit the changes to the "trunk" only..

I'm not sure I understand what problem you refer to with the above
examples. It does address the case where someone tries to fool the
server to use the DefaultServlet to reveal the source of a JSP page
(or other extension based processing) by using extra characters or
using mixed case in the extension part. I assume that's what you
refer to in the first example.

But what do you mean by ".html and .htm variations etc."? How is
that supposed to be addressed? 

Hans
-- 
Hans Bergsten		hans@gefionsoftware.com
Gefion Software		http://www.gefionsoftware.com

Mime
View raw message