tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Remy Maucherat" <>
Subject Re: [4.0-HEAD] JSP source exposure ?
Date Tue, 16 Apr 2002 22:09:11 GMT
> I had a few spare minutes so I went ahead and grabbed last night's build.
> I ran it on Red Hat Linux 7.2 and can confirm the report.
> Requesting foo.jsp%00.txt gets you the source.
> Requesting foo.jsp%00 gets you a strange page that includes some html
> widgets and some of the jsp source too.  Surprising (at least to me) and
> ugly.

Since the problem is real, I've put in a fix (it will return 400 the way
4.0.x does).

I'm not sure why it happens though.
I think because the file extension is ".jsp\0", it gets mapped to the
default servlet, which would then attempt to serve the resource. On Windows,
I was getting a 404, so my guess is that it was trying to get 'foo.jsp\0'
(and failing correctly), while on Unix the file would be found (somehow).


To unsubscribe, e-mail:   <>
For additional commands, e-mail: <>

View raw message