You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by la...@apache.org on 2001/03/01 19:05:08 UTC
cvs commit: jakarta-tomcat/src/share/org/apache/tomcat/util/io FileUtil.java
larryi 01/03/01 10:05:07
Modified: src/share/org/apache/tomcat/util/io FileUtil.java
Log:
Removed the "trim" in patch() method to avoid security hole. A file ending
in ".jsp%20" would not be considered a JSP page, but could still be served,
probably statically, if the trailing space is removed. The sanity and watchdog
tests still pass.
Submitted by: Kazuhiro Kazama
This fixes direct access to Tomcat. The impact on access through mod_jserv
and mod_jk still need to be checked.
Revision Changes Path
1.2 +4 -4 jakarta-tomcat/src/share/org/apache/tomcat/util/io/FileUtil.java
Index: FileUtil.java
===================================================================
RCS file: /home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/util/io/FileUtil.java,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- FileUtil.java 2001/02/20 03:12:59 1.1
+++ FileUtil.java 2001/03/01 18:05:00 1.2
@@ -1,7 +1,7 @@
/*
- * $Header: /home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/util/io/FileUtil.java,v 1.1 2001/02/20 03:12:59 costin Exp $
- * $Revision: 1.1 $
- * $Date: 2001/02/20 03:12:59 $
+ * $Header: /home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/util/io/FileUtil.java,v 1.2 2001/03/01 18:05:00 larryi Exp $
+ * $Revision: 1.2 $
+ * $Date: 2001/03/01 18:05:00 $
*
* ====================================================================
*
@@ -231,7 +231,7 @@
}
public static String patch(String path) {
- String patchPath = path.trim();
+ String patchPath = path;
// Move drive spec to the front of the path
if (patchPath.length() >= 3 &&