tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bip Thelin <...@razorfish.com>
Subject Re: cvs commit: jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/coreLocalStrings.properties StandardContextMapper.java
Date Sat, 12 May 2001 00:07:27 GMT
craigmcc@apache.org wrote:
> 
> craigmcc    01/05/11 16:20:12
> 
>   Modified:    catalina/src/share/org/apache/catalina/core
>                         LocalStrings.properties StandardContextMapper.java
>   Log:
>   Return error 400 if the user uses invalid characters (including %00 and
>   %7f) in a URI.  This fixes a security vulnerability, present in 4.0-b4,
>   that exposes JSP source code when you request:
> 
>     http://localhost:8080/examples/jsp/num/numguess.jsp%00
>
> [...]

Shouldn't we post a security "hotfix" or cut a new beta release? This seems
like a pretty major security flaw.

	..bip

Mime
View raw message