tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Remy Maucherat" <r...@apache.org>
Subject Re: [4.0-HEAD] JSP source exposure ?
Date Tue, 16 Apr 2002 22:09:11 GMT
> I had a few spare minutes so I went ahead and grabbed last night's build.
>
> I ran it on Red Hat Linux 7.2 and can confirm the report.
>
> Requesting foo.jsp%00.txt gets you the source.
>
> Requesting foo.jsp%00 gets you a strange page that includes some html
> widgets and some of the jsp source too.  Surprising (at least to me) and
> ugly.

Thanks.
Since the problem is real, I've put in a fix (it will return 400 the way
4.0.x does).

I'm not sure why it happens though.
I think because the file extension is ".jsp\0", it gets mapped to the
default servlet, which would then attempt to serve the resource. On Windows,
I was getting a 404, so my guess is that it was trying to get 'foo.jsp\0'
(and failing correctly), while on Unix the file would be found (somehow).

Remy


--
To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>


Mime
View raw message