You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by co...@apache.org on 2001/01/04 23:38:58 UTC
cvs commit: jakarta-tomcat/src/share/org/apache/tomcat/core DefaultServlet.java
costin 01/01/04 14:38:57
Modified: src/share/org/apache/tomcat/core Tag: latest_TOMCAT_30
DefaultServlet.java
Log:
Use case-sensitive check, even on windows. That should resolve special
cases where the jsp source may be explosed by using case combinations.
Revision Changes Path
No revision
No revision
1.6.2.1 +9 -6 jakarta-tomcat/src/share/org/apache/tomcat/core/Attic/DefaultServlet.java
Index: DefaultServlet.java
===================================================================
RCS file: /home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/core/Attic/DefaultServlet.java,v
retrieving revision 1.6
retrieving revision 1.6.2.1
diff -u -r1.6 -r1.6.2.1
--- DefaultServlet.java 1999/11/08 03:58:38 1.6
+++ DefaultServlet.java 2001/01/04 22:38:56 1.6.2.1
@@ -1,7 +1,7 @@
/*
- * $Header: /home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/core/Attic/DefaultServlet.java,v 1.6 1999/11/08 03:58:38 akv Exp $
- * $Revision: 1.6 $
- * $Date: 1999/11/08 03:58:38 $
+ * $Header: /home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/core/Attic/DefaultServlet.java,v 1.6.2.1 2001/01/04 22:38:56 costin Exp $
+ * $Revision: 1.6.2.1 $
+ * $Date: 2001/01/04 22:38:56 $
*
* ====================================================================
*
@@ -359,11 +359,14 @@
// So, a check for File.separatorChar='\\' ..... It hopefully
// happens on flavors of Windows.
if (File.separatorChar == '\\') {
- // On Windows check ignore case....
- if(!absPath.equalsIgnoreCase(canPath)) {
+ // On Windows check ignore case....
+ // This may introduce security problems
+ // if(!absPath.equalsIgnoreCase(canPath)) {
+ // more restrictive check:
+ if(!absPath.equals(canPath)) {
response.sendError(response.SC_NOT_FOUND);
return;
- }
+ }
} else {
// The following code on Non Windows disallows ../
// in the path but also disallows symlinks....