Hi, I got a report about a URL based exploit against the nightly builds for TC 4 (4.0-HEAD). Basically, accessing foo.jsp%00 (or foo.jsp%00.txt) is supposed to get the source code for foo.jsp.
I cannot reproduce the problem when Tomcat is running on Windows (I get a 404 for that kind of URLs). However, since I refactored the URL handling, this kind of problem may have been reintroduced. If I could get reports from people running the nightlies on Unix, that would be nice. Note: If there's a problem, it would be a good idea for the URL decoding method to complain when it encounters a null character when decoding a %xx, as I don't see a single valid use case for that (except in URL based attacks, of course). Thanks, Remy -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
