tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Robert Ellis <rel...@first.gmd.de>
Subject Tomcat 3.2.1 JSP Source Disclosure
Date Tue, 19 Dec 2000 12:15:18 GMT
I did the following while testing a JSP on tomcat 3.2.1 and received the
source for JSP instead of the proper output :

telnet xxx 8080
Trying xxx.xxx.xxx.xxx...
Connected to xxx.
Escape character is '^]'.
GET /test.jsp
HTTP/1.0 200 OK
Content-Type: text/plain
Content-Length: 40
Last-Modified: Tue, 19 Dec 2000 11:08:39 GMT
Servlet-Engine: Tomcat Web Server/3.2.1 (JSP 1.1; Servlet 2.2; Java
1.3.0; SunOS 5.5.1 sparc; java.vendor=Sun Microsystems Inc.)
 
<%
out.println("hello i'm a jsp :)");
%>Connection closed by foreign host.


This only seems to happen if you leave out the http version number in
the request.
Tomcat-4.0-m5 doesn't seem to do this.

Thanks for a great free (as in speech and beer) piece of software

Cheers
Robert

Mime
View raw message