On Tue, 16 Apr 2002, Remy Maucherat wrote:
> Date: Tue, 16 Apr 2002 15:09:11 -0700
> From: Remy Maucherat <[EMAIL PROTECTED]>
> Reply-To: Tomcat Developers List <[EMAIL PROTECTED]>
> To: Tomcat Developers List <[EMAIL PROTECTED]>
> Subject: Re: [4.0-HEAD] JSP source exposure ?
>
> > I had a few spare minutes so I went ahead and grabbed last night's build.
> >
> > I ran it on Red Hat Linux 7.2 and can confirm the report.
> >
> > Requesting foo.jsp%00.txt gets you the source.
> >
> > Requesting foo.jsp%00 gets you a strange page that includes some html
> > widgets and some of the jsp source too. Surprising (at least to me) and
> > ugly.
>
> Thanks.
> Since the problem is real, I've put in a fix (it will return 400 the way
> 4.0.x does).
>
> I'm not sure why it happens though.
> I think because the file extension is ".jsp\0", it gets mapped to the
> default servlet, which would then attempt to serve the resource. On Windows,
> I was getting a 404, so my guess is that it was trying to get 'foo.jsp\0'
> (and failing correctly), while on Unix the file would be found (somehow).
>
IIRC, this is the same as what we saw the last time this kind of thing
showed up -- and it was ultimately because of the filesystem logic on the
underlying OS. Such a runtime written in C (like most Unix stuff is) will
not have any problem at all accepting "foo.jsp\0" and treating it as a
reference to "foo.jsp" -- because null bytes delimit Strings in the C I/O
library.
> Remy
>
Craig
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
