tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Remy Maucherat" <r...@apache.org>
Subject [4.0-HEAD] JSP source exposure ?
Date Tue, 16 Apr 2002 21:17:50 GMT
Hi,

I got a report about a URL based exploit against the nightly builds for TC 4
(4.0-HEAD).
Basically, accessing foo.jsp%00 (or foo.jsp%00.txt) is supposed to get the
source code for foo.jsp.

I cannot reproduce the problem when Tomcat is running on Windows (I get a
404 for that kind of URLs). However, since I refactored the URL handling,
this kind of problem may have been reintroduced.

If I could get reports from people running the nightlies on Unix, that would
be nice.

Note: If there's a problem, it would be a good idea for the URL decoding
method to complain when it encounters a null character when decoding a %xx,
as I don't see a single valid use case for that (except in URL based
attacks, of course).

Thanks,
Remy


--
To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>


Mime
View raw message