Return-Path: Delivered-To: apmail-jakarta-tomcat-dev-archive@apache.org Received: (qmail 24687 invoked from network); 12 Apr 2002 08:31:15 -0000 Received: from unknown (HELO nagoya.betaversion.org) (192.18.49.131) by daedalus.apache.org with SMTP; 12 Apr 2002 08:31:15 -0000 Received: (qmail 27081 invoked by uid 97); 12 Apr 2002 08:31:17 -0000 Delivered-To: qmlist-jakarta-archive-tomcat-dev@jakarta.apache.org Received: (qmail 27056 invoked by uid 97); 12 Apr 2002 08:31:16 -0000 Mailing-List: contact tomcat-dev-help@jakarta.apache.org; run by ezmlm Precedence: bulk List-Unsubscribe: List-Subscribe: List-Help: List-Post: List-Id: "Tomcat Developers List" Reply-To: "Tomcat Developers List" Delivered-To: mailing list tomcat-dev@jakarta.apache.org Received: (qmail 27042 invoked by uid 50); 12 Apr 2002 08:31:16 -0000 Date: 12 Apr 2002 08:31:16 -0000 Message-ID: <20020412083116.27041.qmail@nagoya.betaversion.org> From: bugzilla@apache.org To: tomcat-dev@jakarta.apache.org Cc: Subject: DO NOT REPLY [Bug 8005] New: - Bad Param passing with jsp:include X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT . ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://nagoya.apache.org/bugzilla/show_bug.cgi?id=8005 Bad Param passing with jsp:include Summary: Bad Param passing with jsp:include Product: Tomcat 4 Version: 4.0.2 Final Platform: PC OS/Version: Linux Status: NEW Severity: Major Priority: Other Component: Servlet & JSP API AssignedTo: tomcat-dev@jakarta.apache.org ReportedBy: simon@gx.nl Consider: If title is "Tom & Jerry" it will not be passed correctly to the header.jsp. Looking at the tmp java file that this jsp is converted into before being compilied, I see something like: { String _jspx_qStr = ""; _jspx_qStr = _jspx_qStr + "?title=" + title ; JspRuntimeLibrary.include(request, response, "header.jsp" + _jspx_qStr, out, true); } The problem should be obvious now. Parameter values are _not_ being encoded before constructing the query string to be passed to the included jsp. This means that any value containing an ampersand will get mangled. Also, from what I can tell, the same problem applies if the parameter value is hardcoded. i.e. The JSP 1.2 spec claims that these "Standard Actions" are XML. Which means that "Tom & Jerry" should be legal. The spec has little to say about encoding for parameters specified as expressions though. Also, if this case I would expect "Tom & Jerry" to be received by the called jsp. i.e. the parser should see "Tom & Jerry" and decode it to unicode (whatever) and pass that. There is a also a security aspect to this bug. If an attacker can control a parameter value that is explicitly passed by a jsp to another jsp, they would be able to override any request parameters that may have been added directly by the appliction. (i.e. request parameters added to the request object via jsp:include calls, not request parameters submitted as part of a HTTP POST/GET operation). Just ask if you need more explaination. -- To unsubscribe, e-mail: For additional commands, e-mail: