tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From craig...@locus.apache.org
Subject cvs commit: jakarta-tomcat-4.0/webapps/examples/WEB-INF/classes/examples ShowSource.java
Date Sun, 10 Dec 2000 03:12:19 GMT
craigmcc    00/12/09 19:12:19

  Modified:    webapps/examples/WEB-INF/classes/examples ShowSource.java
  Log:
  Fix a security vulnerability.  The "ShowSource" custom tag, in conjunction with
  the "/examples/jsp/source.jsp" page, could be used to expose sensitive data in
  the WEB-INF and META-INF directories of a web application.
  
  Revision  Changes    Path
  1.2       +3 -1      jakarta-tomcat-4.0/webapps/examples/WEB-INF/classes/examples/ShowSource.java
  
  Index: ShowSource.java
  ===================================================================
  RCS file: /home/cvs/jakarta-tomcat-4.0/webapps/examples/WEB-INF/classes/examples/ShowSource.java,v
  retrieving revision 1.1
  retrieving revision 1.2
  diff -u -r1.1 -r1.2
  --- ShowSource.java	2000/08/17 00:57:58	1.1
  +++ ShowSource.java	2000/12/10 03:12:19	1.2
  @@ -20,7 +20,9 @@
       }
   
       public int doEndTag() throws JspException {
  -	if (jspFile.indexOf( ".." ) >= 0)
  +	if ((jspFile.indexOf( ".." ) >= 0) ||
  +            (jspFile.toUpperCase().indexOf("/WEB-INF/") != 0) ||
  +            (jspFile.toUpperCase().indexOf("/META-INF/") != 0))
   	    throw new JspTagException("Invalid JSP file " + jspFile);
   
           InputStream in
  
  
  

Mime
View raw message