Return-Path: Mailing-List: contact tomcat-dev-help@jakarta.apache.org; run by ezmlm Delivered-To: mailing list tomcat-dev@jakarta.apache.org Received: (qmail 7817 invoked from network); 8 Nov 1999 01:10:01 -0000 Received: from bkhosting.com (HELO gefionsoftware.com) (gefion@209.210.26.99) by apache.org with SMTP; 8 Nov 1999 01:10:01 -0000 Received: from gefionsoftware.com (1Cust23.tnt3.redondo-beach.ca.da.uu.net [63.25.35.23]) by gefionsoftware.com (8.8.8/8.7.1) with ESMTP id BAA08092 for ; Mon, 8 Nov 1999 01:18:33 GMT Message-ID: <3826228F.8FF644@gefionsoftware.com> Date: Sun, 07 Nov 1999 17:08:31 -0800 From: Hans Bergsten Organization: Gefion software X-Mailer: Mozilla 4.5 [en] (WinNT; I) X-Accept-Language: en MIME-Version: 1.0 To: tomcat-dev@jakarta.apache.org Subject: Re: DefaultServlet path checks References: <19991028010424.25960.qmail@hyperreal.org> <3823A050.C8FCAD9D@gefionsoftware.com> <3824B149.D97EAE66@gefionsoftware.com> <3825DF60.CBE06E10@shorter.eng.sun.com> <3825E010.D9938892@gefionsoftware.com> <3825B5A4.C572CE48@shorter.eng.sun.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Harish Prabandham wrote: > > Hi, > > Your fix sounds good... Does it address the case of a file that > is named: > > foo.Bar.goo and Foo.Bar.GOO & such similar variations.... > > .html and .htm variations etc.... > > If It does, please commit the changes to the "trunk" only.. I'm not sure I understand what problem you refer to with the above examples. It does address the case where someone tries to fool the server to use the DefaultServlet to reveal the source of a JSP page (or other extension based processing) by using extra characters or using mixed case in the extension part. I assume that's what you refer to in the first example. But what do you mean by ".html and .htm variations etc."? How is that supposed to be addressed? Hans -- Hans Bergsten hans@gefionsoftware.com Gefion Software http://www.gefionsoftware.com