You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Yoshiyuki Karezaki <ka...@wtank.csk.co.jp> on 2001/03/05 03:22:12 UTC
Re: cvs commit: jakarta-tomcat/src/share/org/apache/tomcat/util/io
FileUtil.java
In article <cvs commit: jakarta-tomcat/src/share/org/apache/tomcat/util/io FileUtil.java>,
larryi@apache.org writes:
|larryi 01/03/01 10:05:07
|
| Modified: src/share/org/apache/tomcat/util/io FileUtil.java
| Log:
| Removed the "trim" in patch() method to avoid security hole. A file ending
| in ".jsp%20" would not be considered a JSP page, but could still be served,
| probably statically, if the trailing space is removed. The sanity and watchdog
| tests still pass.
|
| Submitted by: Kazuhiro Kazama
|
| This fixes direct access to Tomcat. The impact on access through mod_jserv
| and mod_jk still need to be checked.
|
| Revision Changes Path
| 1.2 +4 -4 jakarta-tomcat/src/share/org/apache/tomcat/util/io/FileUtil.java
This patch should apply to tomcat_32 branch too.
Tomcat 3.2.X has same security problem.
--- Yoshiyuki Karezaki kare@wtank.csk.co.jp