tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bill Barker" <wbar...@wilshire.com>
Subject Re: source code exposure
Date Fri, 27 Feb 2004 06:10:46 GMT

"unplug" <unplug@vulture.no-ip.com> wrote in message
news:403EC423.72ADF9D2@vulture.no-ip.com...
> As you can see, the jsp only contains a line of code <%= new
> java.util.Date() %>.  I haven't set the content type in the jsp and it
> can be run at http://company.com/examples/test.jsp.  However source code
> exposure at http://company.com//examples/test.jsp.  I wonder why the "/"
> will cause source code exposure.  Is it a bug or configuration missing
> of tomcat?  Anyone can help to stop source code exposure.
>

>From a quick glance at the code, it looks like it is a bug.  Use mod_jk
instead of mod_jk2.  mod_jk doesn't have this problem.

> Thanks,
> unplug
>
> jerome moliere wrote:
> >
> > unplug wrote:
> >
> > >HI all,
> > >
> > >  I am using Fedora Core 1 with tomcat 4.1.29, apache 2.0.48 and
> > >mod_jk2.  I have created a simple jsp (code listed below) and put it
> > >under $CATALINA_HOME/webapps/examples.
> > >
> > >code:
> > >file name: test.jsp
> > ><%= new java.util.Date() %>
> > >
> > >  It can be accessed in the browser using the following link
> > >http://company.com/examples/test.jsp
> > >
> > >  However, its source code will be exposed when I type the following.
> > >http://company.com//examples/test.jsp
> > >
> > >  How can I configure it to prevent such exposure?  Anyone can give me
> > >an advise.
> > >
> > >
> > I guess taht your JSP doesn't specify the content for the response so
the browser
> doesn't layout the HTML but show the code source instead...
> > So try to fix the content type in your response to text/html
> > HTH
> > Jerome




---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message