You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by Yoshiyuki Karezaki <ka...@wtank.csk.co.jp> on 2001/03/05 03:22:12 UTC

Re: cvs commit: jakarta-tomcat/src/share/org/apache/tomcat/util/io FileUtil.java

In article <cvs commit: jakarta-tomcat/src/share/org/apache/tomcat/util/io FileUtil.java>,
	larryi@apache.org writes:
 |larryi      01/03/01 10:05:07
 |
 |  Modified:    src/share/org/apache/tomcat/util/io FileUtil.java
 |  Log:
 |  Removed the "trim" in patch() method to avoid security hole.  A file ending
 |  in ".jsp%20" would not be considered a JSP page, but could still be served,
 |  probably statically, if the trailing space is removed.  The sanity and watchdog
 |  tests still pass.
 |  
 |  Submitted by: Kazuhiro Kazama
 |  
 |  This fixes direct access to Tomcat. The impact on access through mod_jserv
 |  and mod_jk still need to be checked.
 |  
 |  Revision  Changes    Path
 |  1.2       +4 -4      jakarta-tomcat/src/share/org/apache/tomcat/util/io/FileUtil.java

This patch should apply to tomcat_32 branch too.
Tomcat 3.2.X has same security problem.

--- Yoshiyuki Karezaki   kare@wtank.csk.co.jp