tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Remy Maucherat" <r...@apache.org>
Subject Re: [4.0-HEAD] JSP source exposure ?
Date Wed, 17 Apr 2002 09:27:01 GMT
> On Tue, 16 Apr 2002, Remy Maucherat wrote:
>
> > Thanks.
> > Since the problem is real, I've put in a fix (it will return 400 the way
> > 4.0.x does).
> >
> > I'm not sure why it happens though.
> > I think because the file extension is ".jsp\0", it gets mapped to the
> > default servlet, which would then attempt to serve the resource. On
Windows,
> > I was getting a 404, so my guess is that it was trying to get
'foo.jsp\0'
> > (and failing correctly), while on Unix the file would be found
(somehow).
> >
>
> IIRC, this is the same as what we saw the last time this kind of thing
> showed up -- and it was ultimately because of the filesystem logic on the
> underlying OS.  Such a runtime written in C (like most Unix stuff is) will
> not have any problem at all accepting "foo.jsp\0" and treating it as a
> reference to "foo.jsp" -- because null bytes delimit Strings in the C I/O
> library.

Thanks for the explanation.
Refusing a null character in a decoded URL seems like a safe choice.

Remy


--
To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>


Mime
View raw message