tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William Barker" <william.bar...@wilshire.com>
Subject [PATCH] Potential security problem with '?' in jsp file name TC3.3B1
Date Wed, 15 Aug 2001 21:48:15 GMT
Using:
 Apache 1.3.17
TC3.3 B1
 Ajp13
Java 1.3.1

making the request http://myserver/%3f%41%3d%42.jsp was interpreted as a
request for the file "/?A=B.jsp".  JspInterceptor then happily creates a
page containing the contents of the ROOT directory.  The attached patch
forbids such silliness.

Mime
View raw message