Return-Path: Delivered-To: apmail-jakarta-tomcat-dev-archive@apache.org Received: (qmail 19903 invoked from network); 16 Apr 2002 21:17:40 -0000 Received: from unknown (HELO nagoya.betaversion.org) (192.18.49.131) by daedalus.apache.org with SMTP; 16 Apr 2002 21:17:40 -0000 Received: (qmail 1575 invoked by uid 97); 16 Apr 2002 21:17:40 -0000 Delivered-To: qmlist-jakarta-archive-tomcat-dev@jakarta.apache.org Received: (qmail 1558 invoked by uid 97); 16 Apr 2002 21:17:40 -0000 Mailing-List: contact tomcat-dev-help@jakarta.apache.org; run by ezmlm Precedence: bulk List-Unsubscribe: List-Subscribe: List-Help: List-Post: List-Id: "Tomcat Developers List" Reply-To: "Tomcat Developers List" Delivered-To: mailing list tomcat-dev@jakarta.apache.org Received: (qmail 1539 invoked from network); 16 Apr 2002 21:17:39 -0000 Message-ID: <00e301c1e58c$2aa45740$6501a8c0@apache.org> From: "Remy Maucherat" To: Subject: [4.0-HEAD] JSP source exposure ? Date: Tue, 16 Apr 2002 14:17:50 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 X-Spam-Rating: localhost.apache.org 1.6.2 0/1000/N X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N Hi, I got a report about a URL based exploit against the nightly builds for TC 4 (4.0-HEAD). Basically, accessing foo.jsp%00 (or foo.jsp%00.txt) is supposed to get the source code for foo.jsp. I cannot reproduce the problem when Tomcat is running on Windows (I get a 404 for that kind of URLs). However, since I refactored the URL handling, this kind of problem may have been reintroduced. If I could get reports from people running the nightlies on Unix, that would be nice. Note: If there's a problem, it would be a good idea for the URL decoding method to complain when it encounters a null character when decoding a %xx, as I don't see a single valid use case for that (except in URL based attacks, of course). Thanks, Remy -- To unsubscribe, e-mail: For additional commands, e-mail: