tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From r...@apache.org
Subject cvs commit: jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/servlets DefaultServlet.java
Date Mon, 02 Apr 2001 08:41:48 GMT
remm        01/04/02 01:41:48

  Modified:    catalina/src/share/org/apache/catalina/servlets
                        DefaultServlet.java
  Log:
  - Fixes security problem reported by Jon and an anonymous hacker.
    Now http://127.0.0.1:8080/examples/jsp/dates/date%252ejsp returns 404,
    while http://127.0.0.1:8080/examples/jsp/dates/date%2ejsp returns the result of
    the execution of the JSP.
    Now Craig is going to have a lot of fun building new binaries ;)
  
  Revision  Changes    Path
  1.32      +4 -6      jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/servlets/DefaultServlet.java
  
  Index: DefaultServlet.java
  ===================================================================
  RCS file: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/servlets/DefaultServlet.java,v
  retrieving revision 1.31
  retrieving revision 1.32
  diff -u -r1.31 -r1.32
  --- DefaultServlet.java	2001/03/23 02:55:44	1.31
  +++ DefaultServlet.java	2001/04/02 08:41:45	1.32
  @@ -1,7 +1,7 @@
   /*
  - * $Header: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/servlets/DefaultServlet.java,v
1.31 2001/03/23 02:55:44 remm Exp $
  - * $Revision: 1.31 $
  - * $Date: 2001/03/23 02:55:44 $
  + * $Header: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/servlets/DefaultServlet.java,v
1.32 2001/04/02 08:41:45 remm Exp $
  + * $Revision: 1.32 $
  + * $Date: 2001/04/02 08:41:45 $
    *
    * ====================================================================
    *
  @@ -122,7 +122,7 @@
    *
    * @author Craig R. McClanahan
    * @author Remy Maucherat
  - * @version $Revision: 1.31 $ $Date: 2001/03/23 02:55:44 $
  + * @version $Revision: 1.32 $ $Date: 2001/04/02 08:41:45 $
    */
   
   public class DefaultServlet
  @@ -868,8 +868,6 @@
   	// Placed at the beginning of the chain so that encoded 
   	// bad stuff(tm) can be caught by the later checks
           String normalized = path;
  -        if (normalized.indexOf('%') >= 0)
  -            normalized = RequestUtil.URLDecode(normalized, "UTF8");
           if (normalized == null)
               return (null);
           
  
  
  

Mime
View raw message