tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: JSP:includes parameter passing vulnerability
Date Thu, 16 Sep 2010 18:29:07 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Martin,

On 9/15/2010 6:21 PM, Martin Gainty wrote:
> 
> Mike-
> check to make sure your <jsp:param has an end tag e.g.<jsp:include page="mycommon.jsp"
>
>   <jsp:param name="extraparam" value="myvalue" />
> </jsp:include>

Not useful information: <jsp> tags must be well-formed, and wouldn't
even compile if the end tag or short-form of the tag weren't being used.

> 
> > if the browser doesnt see it the end tag the browser throws away the whole tag and
uses the default assignment
> (which comes from the jsp:include page=)

The browser never sees this stuff. Fail.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkySYfMACgkQ9CaO5/Lv0PBSWwCfSHuqOD8FNu9ygJphMrn1B95F
cOMAoIjwIrncl2genVgLHJ43wbJBUbmQ
=2NdA
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message