You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by cr...@apache.org on 2001/04/02 23:15:49 UTC
cvs commit: jakarta-tomcat-4.0/tester/src/bin tester.xml
craigmcc 01/04/02 14:15:49
Modified: tester/src/bin tester.xml
Log:
Add a test case to watch for the "double URL decode" vulnerability.
Revision Changes Path
1.26 +10 -0 jakarta-tomcat-4.0/tester/src/bin/tester.xml
Index: tester.xml
===================================================================
RCS file: /home/cvs/jakarta-tomcat-4.0/tester/src/bin/tester.xml,v
retrieving revision 1.25
retrieving revision 1.26
diff -u -r1.25 -r1.26
--- tester.xml 2001/03/30 21:20:02 1.25
+++ tester.xml 2001/04/02 21:15:46 1.26
@@ -181,6 +181,16 @@
request="${context.path}/WrappedDecoding0%31/extr%61?servlet=/WrappedDecoding01&path=/extra"
outContent="Decoding01 PASSED"/>
+ <!-- Verify we can access the JSP page normally -->
+ <tester host="${host}" port="${port}" protocol="${protocol}"
+ request="/examples/jsp/snp/snoop.jsp"
+ status="200"/>
+
+ <!-- DefaultServlet should not decode the path again -->
+ <tester host="${host}" port="${port}" protocol="${protocol}"
+ request="/examples/jsp/snp/snoop%252ejsp"
+ status="404"/>
+
</target>