You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by co...@apache.org on 2001/08/03 04:57:08 UTC
cvs commit: jakarta-tomcat/src/tests/webpages/WEB-INF test-tomcat.xml
costin 01/08/02 19:57:08
Modified: src/tests/webpages/WEB-INF test-tomcat.xml
Log:
The return code for "strange" urls can be 403 or 404. There is not an absolute rule
( IMHO 404 gives back less information about why we rejected - that can be good
for security ). The test should only make sure an error is returned.
Revision Changes Path
1.40 +19 -19 jakarta-tomcat/src/tests/webpages/WEB-INF/test-tomcat.xml
Index: test-tomcat.xml
===================================================================
RCS file: /home/cvs/jakarta-tomcat/src/tests/webpages/WEB-INF/test-tomcat.xml,v
retrieving revision 1.39
retrieving revision 1.40
diff -u -r1.39 -r1.40
--- test-tomcat.xml 2001/07/20 17:43:25 1.39
+++ test-tomcat.xml 2001/08/03 02:57:08 1.40
@@ -16,7 +16,7 @@
early tests.
-->
- <property name="revision" value="$Revision: 1.39 $" />
+ <property name="revision" value="$Revision: 1.40 $" />
<property name="host" value="127.0.0.1" />
<property name="port" value="8080" />
<property name="outputType" value="text" />
@@ -1223,76 +1223,76 @@
<target name="security_chk" depends="init,security_chk_url">
<gtest description="This URL should return 404 Not Found"
request="GET /test/jsp/HelloWorld.jsp. HTTP/1.0"
- returnCode="${http.protocol} 404"
+ returnCode="${http.protocol} 40"
/>
<gtest description="This URL should return 403 Forbidden"
request="GET /test/jsp/HelloWorld.jsp%2E HTTP/1.0"
- returnCode="${http.protocol} 403"
+ returnCode="${http.protocol} 40"
/>
<gtest description="This URL should return 403 Forbidden"
request="GET /test/jsp/HelloWorld.jsp%252E HTTP/1.0"
- returnCode="${http.protocol} 403"
+ returnCode="${http.protocol} 40"
/>
<gtest description="This URL should return 404 Not Found"
request="GET /test/jsp/HelloWorld.jsp/ HTTP/1.0"
- returnCode="${http.protocol} 404"
+ returnCode="${http.protocol} 40"
/>
<gtest description="This URL should return 403 Forbidden"
request="GET /test/jsp/HelloWorld.jsp%5C HTTP/1.0"
- returnCode="${http.protocol} 403"
+ returnCode="${http.protocol} 40"
/>
<gtest description="This URL should return 403 Forbidden"
request="GET /test/jsp/HelloWorld.jsp%255C HTTP/1.0"
- returnCode="${http.protocol} 403"
+ returnCode="${http.protocol} 40"
/>
<gtest description="This URL should return 404 Not Found"
request="GET /test/jsp/HelloWorld.jsp%20 HTTP/1.0"
- returnCode="${http.protocol} 404"
+ returnCode="${http.protocol} 40"
/>
<gtest description="This URL should return 403 Forbidden"
request="GET /test/jsp/HelloWorld.jsp%2520 HTTP/1.0"
- returnCode="${http.protocol} 403"
+ returnCode="${http.protocol} 40"
/>
<gtest description="This URL should return 404 Not Found"
request="GET /test/jsp/HelloWorld.jsp%00 HTTP/1.0"
- returnCode="${http.protocol} 404"
+ returnCode="${http.protocol} 40"
/>
<gtest description="This URL should return 403 Forbidden"
request="GET /%2e%2e/%2e%2e/%00.jsp HTTP/1.0"
- returnCode="${http.protocol} 403"
+ returnCode="${http.protocol} 40"
/>
<gtest description="This URL should return 403 Forbidden"
request="GET /%252e%252e/%252e%252e/%00.jsp HTTP/1.0"
- returnCode="${http.protocol} 403"
+ returnCode="${http.protocol} 40"
/>
<gtest description="This URL should return 403 Forbidden"
request="GET /%2e%2e/%2e%2e/%5cLICENSE%00.jsp HTTP/1.0"
- returnCode="${http.protocol} 403"
+ returnCode="${http.protocol} 40"
/>
<gtest description="This URL should return 403 Forbidden"
request="GET /%2e%2e/%2e%2e/%5cLICENSE/%00.jsp HTTP/1.0"
- returnCode="${http.protocol} 403"
+ returnCode="${http.protocol} 40"
/>
<gtest description="This URL should return 403 Forbidden"
request="GET /%252e%252e/%252e%252e/%5cLICENSE%00.jsp HTTP/1.0"
- returnCode="${http.protocol} 403"
+ returnCode="${http.protocol} 40"
/>
<gtest description="This URL should return 403 Forbidden"
request="GET /%252e%252e/%252e%252e/%5cLICENSE/%00.jsp HTTP/1.0"
- returnCode="${http.protocol} 403"
+ returnCode="${http.protocol} 40"
/>
<gtest description="This URL should return HTML, not JSP source"
@@ -1303,16 +1303,16 @@
<gtest description="This URL should return 403 Forbidden"
request="GET /test/jsp/HelloWorld.js%2570 HTTP/1.0"
- returnCode="${http.protocol} 403"
+ returnCode="${http.protocol} 40"
/>
<gtest description="This URL should return 403 Forbidden"
request="GET /test/jsp/HelloWorld%2Ejsp HTTP/1.0"
- returnCode="${http.protocol} 403"
+ returnCode="${http.protocol} 40"
/>
<gtest description="This URL should return 403 Forbidden"
request="GET /test/jsp/HelloWorld%252Ejsp HTTP/1.0"
- returnCode="${http.protocol} 403"
+ returnCode="${http.protocol} 40"
/>
</target>