tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Arion Yu <>
Subject Re: Security bug in Tomcat on Windows
Date Tue, 11 Jul 2000 03:39:04 GMT

Are you meaning you are opening the JSP file using file://xxxx.jsp?


Serge Knystautas wrote:

> Looked through the mailing list archive and can't find anyone mentioning
> this...
> Platform: Tomcat 3.1 final on Windows (or any other case insensitive
> file system)
> Problem: Source code of JSP can be revealed by varying the extension.
> Steps to reproduce:
> 1. Create a JSP that looks like this:
> <% out.println("Hello world"); %>
> and name it test.jsp.
> 2. Using a browser, access the file in the appropriate directory as
> test.jsp... the JSP will execute normally.
> 3. Then access the file in the appropriate directory as test.JSP... you
> will see the source code for the JSP.
> Apparently the mapper isn't handling these case variations, so it's
> falling through to retrieve the file as a binary file (rather than
> through Jasper).  I'm not sure if putting Apache in front of this helps
> matters.
> This seems like it shouldn't be too difficult to handle and get it fixed
> before 3.2.  Otherwise no one can really deploy Tomcat on Windows
> without a major security risk.
> Serge Knystautas
> Loki Technologies
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

[This email and any files transmitted with it are confidential and may
contain information that is legally privileged. They are intended solely for
the addressee(s). Access to this email by anyone else is unauthorized. If
you are not the intended recipient, please delete it and notify the sender
by email immediately; you should not copy or use it for any purpose, nor
disclose its contents to any other person. Thank you.]

View raw message