Hi,
Sorry if someone's reported this before,
I just found a bug that affects (at least) Tomcat 3.2b3 up to 3.3dev from
CVS. The bug lets the user see the source for files mapped to servlets
via the <servlet-mapping> tag in web.xml. The bug usually occurs during
development, so it shouldn't be an issue with stable production sites.
In the WEB-INF/web.xml file, one can remap URIs to servlets. This mapping
doesn't take place when you re-request a page that previously didn't
exist (the "misrequest" of the subject line), and the user gets delivered
uninterpreted source.
The most common situation is you request a mapped page from a webapp that
doesn't exist, realise your mistake, regenerate the webapp and request the
page again. You'll see the page source, as the page hasn't been
interpreted by it's associated servlet.
To reproduce the bug:
1) Create a small webapp ~/tomcatbug which maps *.xyz to the JSP
interpreter, using the following script if you like:
#!/bin/sh
cd ~
mkdir -p tomcatbug/WEB-INF || exit
cat > tomcatbug/WEB-INF/web.xml << EOF
<web-app>
<servlet-mapping>
<servlet-name>jsp</servlet-name>
<url-pattern>*.xyz</url-pattern>
</servlet-mapping>
</web-app>
EOF
cat > tomcatbug/date.xyz << EOF
<%@ page import="java.util.*" %>
<%= (new java.util.Date() ).toLocaleString() %>
EOF
2) Add the "tomcatbug" context to your $TOMCAT_HOME/conf/server.xml:
<Context path="/tomcatbug"
docBase="/home/jeff/tomcatbug"
debug="9"
reloadable="true"
trusted="false" >
</Context>
(modify the docBase as appropriate).
3) Restart Tomcat
4) Verify that the webapp works and "date.xyz" works as expected.
5) Move ~/tomcatbug to ~/tomcatbug~
6) Restart Tomcat
7) Request date.xyz. You should get the expected error:
Not Found (404)
Original request/tomcatbug/tomcat.notFoundHandler
8) Move ~/tomcatbug~ to ~/tomcatbug
9) Request date.xyz. You'll see the raw source:
<%@ page import="java.util.*" %>
<%= (new java.util.Date() ).toLocaleString() %>
Btw, it's not the JSP interpreter's fault; I originally found the bug
mapping *.xml to the Cocoon servlet.
--Jeff
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
