tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Parsons Technical Services" <parsonstechni...@earthlink.net>
Subject Re: source code exposure
Date Fri, 27 Feb 2004 04:35:15 GMT
unplug,

I am running 4.1.29 in standalone. Try the page directly on TC.
Mine goes to the same page with either URL. I suspect that what may be
happening is that in the first case Apache is handing off the request to TC
which returns the html. In the second case Apache is serving the page up
directly without passing it to TC. As I said above I don't run the Apache/TC
setup and this is just a guess. Look for a filter setting that tells Apache
what to send to TC. If the filter is too specific then a malformed URL will
be missed by the filter. Note the term filter may not be correct in this
case.
Check you logs to see if the request is being seen by TC in both cases. If
only case one is seen then it sounds like a config issue as stated above. If
both requests are seen then there is a serious config issue with TC.

Just an idea.

Doug
www.parsonstechnical.com


----- Original Message ----- 
From: "unplug" <unplug@vulture.no-ip.com>
To: "tomcat-user" <tomcat-user@jakarta.apache.org>
Sent: Thursday, February 26, 2004 11:14 PM
Subject: Re: source code exposure


> As you can see, the jsp only contains a line of code <%= new
> java.util.Date() %>.  I haven't set the content type in the jsp and it
> can be run at http://company.com/examples/test.jsp.  However source code
> exposure at http://company.com//examples/test.jsp.  I wonder why the "/"
> will cause source code exposure.  Is it a bug or configuration missing
> of tomcat?  Anyone can help to stop source code exposure.
>
> Thanks,
> unplug
>
> jerome moliere wrote:
> >
> > unplug wrote:
> >
> > >HI all,
> > >
> > >  I am using Fedora Core 1 with tomcat 4.1.29, apache 2.0.48 and
> > >mod_jk2.  I have created a simple jsp (code listed below) and put it
> > >under $CATALINA_HOME/webapps/examples.
> > >
> > >code:
> > >file name: test.jsp
> > ><%= new java.util.Date() %>
> > >
> > >  It can be accessed in the browser using the following link
> > >http://company.com/examples/test.jsp
> > >
> > >  However, its source code will be exposed when I type the following.
> > >http://company.com//examples/test.jsp
> > >
> > >  How can I configure it to prevent such exposure?  Anyone can give me
> > >an advise.
> > >
> > >
> > I guess taht your JSP doesn't specify the content for the response so
the browser
> doesn't layout the HTML but show the code source instead...
> > So try to fix the content type in your response to text/html
> > HTH
> > Jerome
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>



---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message