tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From craig...@locus.apache.org
Subject cvs commit: jakarta-tomcat/src/examples/WEB-INF/classes/examples ShowSource.java
Date Sun, 10 Dec 2000 03:07:52 GMT
craigmcc    00/12/09 19:07:51

  Modified:    src/examples/WEB-INF/classes/examples Tag: tomcat_32
                        ShowSource.java
  Log:
  Fix a security vulnerability -- the "ShowSource" custom tag in conjunction
  with the "/examples/jsp/source.jsp page could be used to expose the contents
  of sensitive information in the WEB-INF or META-INF directories.
  
  Revision  Changes    Path
  No                   revision
  
  
  No                   revision
  
  
  1.4.4.1   +3 -1      jakarta-tomcat/src/examples/WEB-INF/classes/examples/ShowSource.java
  
  Index: ShowSource.java
  ===================================================================
  RCS file: /home/cvs/jakarta-tomcat/src/examples/WEB-INF/classes/examples/ShowSource.java,v
  retrieving revision 1.4
  retrieving revision 1.4.4.1
  diff -u -r1.4 -r1.4.4.1
  --- ShowSource.java	2000/03/07 19:53:39	1.4
  +++ ShowSource.java	2000/12/10 03:07:51	1.4.4.1
  @@ -20,7 +20,9 @@
       }
   
       public int doEndTag() throws JspException {
  -	if (jspFile.indexOf( ".." ) >= 0)
  +	if ((jspFile.indexOf( ".." ) >= 0) ||
  +            (jspFile.toUpperCase().indexOf("/WEB-INF/") != 0) ||
  +            (jspFile.toUpperCase().indexOf("/META-INF/") != 0))
   	    throw new JspTagException("Invalid JSP file " + jspFile);
   
           InputStream in
  
  
  

Mime
View raw message