tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Yoshiyuki Karezaki <k...@wtank.csk.co.jp>
Subject Re: cvs commit: jakarta-tomcat/src/share/org/apache/tomcat/util/io FileUtil.java
Date Mon, 05 Mar 2001 02:22:12 GMT
In article <cvs commit: jakarta-tomcat/src/share/org/apache/tomcat/util/io FileUtil.java>,
	larryi@apache.org writes:
 |larryi      01/03/01 10:05:07
 |
 |  Modified:    src/share/org/apache/tomcat/util/io FileUtil.java
 |  Log:
 |  Removed the "trim" in patch() method to avoid security hole.  A file ending
 |  in ".jsp%20" would not be considered a JSP page, but could still be served,
 |  probably statically, if the trailing space is removed.  The sanity and watchdog
 |  tests still pass.
 |  
 |  Submitted by: Kazuhiro Kazama
 |  
 |  This fixes direct access to Tomcat. The impact on access through mod_jserv
 |  and mod_jk still need to be checked.
 |  
 |  Revision  Changes    Path
 |  1.2       +4 -4      jakarta-tomcat/src/share/org/apache/tomcat/util/io/FileUtil.java

This patch should apply to tomcat_32 branch too.
Tomcat 3.2.X has same security problem.

--- Yoshiyuki Karezaki   kare@wtank.csk.co.jp

Mime
View raw message