tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Remy Maucherat" <>
Subject [4.0-HEAD] JSP source exposure ?
Date Tue, 16 Apr 2002 21:17:50 GMT

I got a report about a URL based exploit against the nightly builds for TC 4
Basically, accessing foo.jsp%00 (or foo.jsp%00.txt) is supposed to get the
source code for foo.jsp.

I cannot reproduce the problem when Tomcat is running on Windows (I get a
404 for that kind of URLs). However, since I refactored the URL handling,
this kind of problem may have been reintroduced.

If I could get reports from people running the nightlies on Unix, that would
be nice.

Note: If there's a problem, it would be a good idea for the URL decoding
method to complain when it encounters a null character when decoding a %xx,
as I don't see a single valid use case for that (except in URL based
attacks, of course).


To unsubscribe, e-mail:   <>
For additional commands, e-mail: <>

View raw message