tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sylvain St-Germain" <sylv...@macadamian.com>
Subject RE: jsp file name with UPPERCASE extension...
Date Wed, 05 Jul 2000 16:22:12 GMT
Thanks for the info.
Regards,
--
Sylvain St-Germain  Macadamian Technologies Inc.
Project Leader      sylvain@macadamian.com
613.739.5976 (114)  www.macadamian.com



> -----Original Message-----
> From: Larry Isaacs [mailto:Larry.Isaacs@sas.com]
> Sent: Friday, June 30, 2000 10:38 AM
> To: 'tomcat-user@jakarta.apache.org'
> Subject: RE: jsp file name with UPPERCASE extension...
>
>
> This seems to be an issue about what a server should do when case
> sensitive URL's access files on a case insensitive operating
> system.  In Tomcat 3.2, the following code appears in
> org.apache.tomcat.util.FileUtil.safePath():
>
> 	try {
> 	    canPath=new File(realPath).getCanonicalPath();
> 	} catch( IOException ex ) {
> 	    ex.printStackTrace();
> 	    return null;
> 	}
>
> 	// This absPath/canPath comparison plugs security holes...
> 	// On Windows, makes "x.jsp.", "x.Jsp", and "x.jsp%20"
>         // return 404 instead of the JSP source
> 	// On all platforms, makes sure we don't let ../'s through
>         // Unfortunately, on Unix, it prevents symlinks from working
> 	// So, a check for File.separatorChar='\\' ..... It hopefully
> 	// happens on flavors of Windows.
> 	if (File.separatorChar  == '\\') {
> 	    // On Windows check ignore case....
> 	    if (!realPath.equalsIgnoreCase(canPath)){
>             int ls=realPath.lastIndexOf('\\');
>             if ( (ls > 0) &&
> !realPath.substring(0,ls).equalsIgnoreCase(canPath) )
>         		return null;
> 	    }
> 	}
>
> Because the "if (!realPath.equalsIgnoreCase(canPath))" is case
> insensitive, ".Jsp" gets through despite what the comment says.
> Perhaps it was once "realPath.equals(canPath)"?  This code
> previously lived in the now defunct DefaultServlet where it was
> case insensitive as far back as I could look.  I tried changing
> both ".equalsIgnoreCase(" to ".equals(" and ran the watchdog
> tests.  No new failures occurred.
>
> Does anyone know why these comparisons are case insensitive,
> other than maybe those using Windows aren't used to worrying
> about case sensitivity of file names? IMHO, I think they should
> be case sensitive.  Requiring Windows users to map all case
> permutations of "*.jsp" to avoid statically serving your JSP
> source would be asking too much.  Is there another way to avoid
> this problem?
>
> Thanks.
>
> Larry
>
> -----Original Message-----
> From: Sylvain St-Germain [mailto:sylvainstg@videotron.ca]
> Sent: Thursday, June 29, 2000 9:20 PM
> To: tomcat-user@jakarta.apache.org
> Subject: RE: jsp file name with UPPERCASE extension...
>
>
> You are right, how do you guys fix this problem?  I am under the
> impression
> that this is a Windows issue, not being case sensitive...
>
> Am I wrong?  In any case how do you guys handle this situation?
> Sylvain.
>
> > -----Original Message-----
> > From: Larry Isaacs [mailto:Larry.Isaacs@sas.com]
> > Sent: 29 juin, 2000 16:48
> > To: 'tomcat-user@jakarta.apache.org'
> > Subject: RE: jsp file name with UPPERCASE extension...
> >
> >
> > Don't forget about *.Jsp, *.jSp, etc. :^)
> >
> > This could be real annoying if you don't want your JSP pages
> > served up statically.
> >
> > Cheers,
> >
> > Larry
> >
> > -----Original Message-----
> > From: Sylvain St-Germain [mailto:sylvain@macadamian.com]
> > Sent: Thursday, June 29, 2000 4:48 PM
> > To: tomcat-user@jakarta.apache.org
> > Subject: RE: jsp file name with UPPERCASE extension...
> >
> >
> > > You can map the *.JSP extension to the JSP processing servlet if
> > > you want to
> > > partially deal with this issue, by using a <servlet-mapping>
> > entry in your
> > > web.xml file.  If you're using Apache, you will need to add
> > configuration
> > > directives to forward *.JSP requests the same way it forwards
> > > *.jsp requests.
> >
> > This seems a good solution.
> > I tried adding the following section in my web.xml
> >
> >     <servlet-mapping>
> >         <servlet-name>
> >             jsp
> >         </servlet-name>
> >         <url-pattern>
> >             *.JSP
> >         </url-pattern>
> >     </servlet-mapping>
> >
> > I also tried by adding this before
> >     <servlet>
> >         <servlet-name>
> >             jsp
> >         </servlet-name>
> >         <servlet-class>
> >             org.apache.jasper.runtime.JspServlet
> >         </servlet-class>
> > 	<load-on-startup>
> >             -2147483646
> > 	</load-on-startup>
> >     </servlet>
> >
> >
> > Does not work, I get error at startup saying:
> > config parse: parsing error: There is no web component by the
> name of jsp
> > here.
> >
> > Any one has guidelines on this?
> >
> > Regards,
> > Sylvain.
> >
> > > -----Original Message-----
> > > From: Craig R. McClanahan [mailto:Craig.McClanahan@eng.sun.com]
> > > Sent: Thursday, June 29, 2000 2:52 PM
> > > To: tomcat-user@jakarta.apache.org
> > > Subject: Re: jsp file name with UPPERCASE extension...
> > >
> > >
> > > Sylvain St-Germain wrote:
> > >
> > > > Under Windows, the jsp file is displayed in the browser
> > instead of being
> > > > excecuted if typed in uppercase.  Has it been fixed in a
> recent tomcat
> > > > version?
> > > >
> > >
> > > No.  URLs are case sensitive.
> > >
> > >
> > > >
> > > > Regards,
> > > > --
> > > > Sylvain St-Germain  Macadamian Technologies Inc.
> > > > Project Leader      sylvain@macadamian.com
> > > > 613.739.5976 (114)  www.macadamian.com
> > > >
> > >
> > > Craig McClanahan
> > >
> > >
> > >
> > >
> >
> --------------------------------------------------------------------------
> > > To unsubscribe, email: tomcat-user-unsubscribe@jakarta.apache.org
> > > For additional commmands, email: tomcat-user-help@jakarta.apache.org
> > >
> > >
> >
> >
> >
> --------------------------------------------------------------------------
> > To unsubscribe, email: tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commmands, email: tomcat-user-help@jakarta.apache.org
> >
> >
> --------------------------------------------------------------------------
> > To unsubscribe, email: tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commmands, email: tomcat-user-help@jakarta.apache.org
> >
> >
>
>
> --------------------------------------------------------------------------
> To unsubscribe, email: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commmands, email: tomcat-user-help@jakarta.apache.org
>
> --------------------------------------------------------------------------
> To unsubscribe, email: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commmands, email: tomcat-user-help@jakarta.apache.org
>
>


Mime
View raw message