On Fri, 11 May 2001, Bip Thelin wrote:
> [EMAIL PROTECTED] wrote:
> >
> > craigmcc 01/05/11 16:20:12
> >
> > Modified: catalina/src/share/org/apache/catalina/core
> > LocalStrings.properties StandardContextMapper.java
> > Log:
> > Return error 400 if the user uses invalid characters (including %00 and
> > %7f) in a URI. This fixes a security vulnerability, present in 4.0-b4,
> > that exposes JSP source code when you request:
> >
> > http://localhost:8080/examples/jsp/num/numguess.jsp%00
> >
> > [...]
>
> Shouldn't we post a security "hotfix" or cut a new beta release? This seems
> like a pretty major security flaw.
We will ... but this is not the only problem. I pulled the downloadable
directory for beta 4.
>
> ..bip
>
Craig
