Mailing-List: contact tomcat-dev-help@jakarta.apache.org; run by ezmlm
Date: 1 Mar 2001 18:05:08 -0000
Message-ID: <20010301180508.82104.qmail@apache.org>
From: larryi@apache.org
To: jakarta-tomcat-cvs@apache.org
Subject: cvs commit: jakarta-tomcat/src/share/org/apache/tomcat/util/io
 FileUtil.java

larryi      01/03/01 10:05:07

  Modified:    src/share/org/apache/tomcat/util/io FileUtil.java
  Log:
  Removed the "trim" in patch() method to avoid security hole.  A file ending
  in ".jsp%20" would not be considered a JSP page, but could still be served,
  probably statically, if the trailing space is removed.  The sanity and watchdog
  tests still pass.
  
  Submitted by: Kazuhiro Kazama
  
  This fixes direct access to Tomcat. The impact on access through mod_jserv
  and mod_jk still need to be checked.
  
  Revision  Changes    Path
  1.2       +4 -4      jakarta-tomcat/src/share/org/apache/tomcat/util/io/FileUtil.java
  
  Index: FileUtil.java
  ===================================================================
  RCS file: /home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/util/io/FileUtil.java,v
  retrieving revision 1.1
  retrieving revision 1.2
  diff -u -r1.1 -r1.2
  --- FileUtil.java	2001/02/20 03:12:59	1.1
  +++ FileUtil.java	2001/03/01 18:05:00	1.2
  @@ -1,7 +1,7 @@
   /*
  - * $Header: /home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/util/io/FileUtil.java,v 1.1 2001/02/20 03:12:59 costin Exp $
  - * $Revision: 1.1 $
  - * $Date: 2001/02/20 03:12:59 $
  + * $Header: /home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/util/io/FileUtil.java,v 1.2 2001/03/01 18:05:00 larryi Exp $
  + * $Revision: 1.2 $
  + * $Date: 2001/03/01 18:05:00 $
    *
    * ====================================================================
    *
  @@ -231,7 +231,7 @@
       }
       
       public static String patch(String path) {
  -        String patchPath = path.trim();
  +        String patchPath = path;
   
           // Move drive spec to the front of the path
           if (patchPath.length() >= 3 &&