You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Danno Ferrin <sh...@earthlink.net> on 2000/07/24 06:41:09 UTC
.jsp .JSP source bug (was: [PROPOSAL] New build targets for Tomcat)
IIRC I saw a fix go through the CVS list for this, there was some code that
used equalsIgnoreCase against file names for win32 convenience. Let us know
if you can re-create the bug from a CVS head or tomcat_32 tag build and we
can re-open the bug, but to my knowledge the bug is fixed (and it was
somewhere in a tomcat package).
--Danno
----- Original Message -----
From: "Serge Knystautas" <se...@lokitech.com>
To: <to...@jakarta.apache.org>
Sent: Sunday, July 23, 2000 7:36 AM
Subject: Re: [PROPOSAL] New build targets for Tomcat
> Jon Stevens wrote:
> > I do not trust that Jasper has had all the security holes removed.
>
> I'd like to resubmit my bug (source code of JSPs gets displayed) in
> order of clarify the bug. (ok, it's not "my" bug, but I think I was the
> first to submit it to the list... I'm not sure who submitted it to
> Bugtraq, or even what/where that is since I've been on vacation for a
> week.)
>
> The problem of JSP source code getting returned is a function of the
> servlet engine's <url-pattern> in web.xml, not anything in the jsp
> compiler or architecture. The servlet engine needs to be aware that it
> might be running on a case-insensitive operating system, and accordingly
> if there is a *servlet* mapping of jsp to a servlet, it should enforce
> this mapping in a case-insensitive manner. Other parts of the servlet
> engine have already been made aware of case-insensitivity, for instance,
> you can't access the WEB-INF folder no matter what case combination you
> use.
>
> I really don't want to enter into the foray about what Tomcat is, but
> I'd just like this security bug appropriately filed under the servlet
> engine, not the JSP engine. Regardless of whether you're using .tea,
> ..asp, or whatever files, this is the servlet engine's problem not
> recognizing the Microsoft "feature" at work. ;)
>
> Serge Knystautas
> Loki Technologies
> http://www.lokitech.com/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
>
>