tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William Barker" <>
Subject [PATCH] Potential security problem with '?' in jsp file name TC3.3B1
Date Wed, 15 Aug 2001 21:48:15 GMT
 Apache 1.3.17
TC3.3 B1
Java 1.3.1

making the request http://myserver/%3f%41%3d%42.jsp was interpreted as a
request for the file "/?A=B.jsp".  JspInterceptor then happily creates a
page containing the contents of the ROOT directory.  The attached patch
forbids such silliness.

View raw message