tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From (Nick Holloway)
Subject Re: Tomcat security issue
Date Wed, 18 Oct 2000 10:44:05 GMT (Cheong Takhoe) writes:
> if you have a file x.jsp
> when you access it through the web browser, http://<hostname>/x.jsp\
> with the \ there,
> it opens up the source code....

This appears to be a bug with both the NT Apache and Tomcat. (Apache
1.3.12, and Tomcat 3.1).

I have the JSP files passed to Tomcat from Apache using:

    AddType test/jsp .jsp
    AddHandler jserv-servlet .jsp

I've confirmed that the "x.jsp\" request is being passed to Tomcat,
as if I stop it, I get the "Internal Server Error".  So this is a bug
in Apache, as it shouldn't be passing ".jsp\" through to Tomcat.

The next bug is with Tomcat as it opens the JSP file despite the trailing
"\", but sends it back as text (as "x.jsp\" doesn't match "*.jsp").

Looking into Tomcat a bit further, the problem with Tomcat is with the
DefaultServlet.  It takes the request URI, concatenates it with the
path info.  This leads to a path such as "c:\blah\blah\x.jsp\".

The following code demonstrates how the trailing "\" is dropped silently
by File.getAbsolutePath().

        File file = new File( "c:\\web\\index.jsp\\" );
	String absPath = file.getAbsolutePath();
	System.out.println( absPath );

> I don't know whether this is similar on a non-NT platform. 

Fortunately (for me), the same problem doesn't occur with Apache 1.3.12
and Tomcat 3.1 under Solaris.

 `O O'  |
// ^ \\ |

View raw message