You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by co...@apache.org on 2001/01/04 23:38:58 UTC

cvs commit: jakarta-tomcat/src/share/org/apache/tomcat/core DefaultServlet.java

costin      01/01/04 14:38:57

  Modified:    src/share/org/apache/tomcat/core Tag: latest_TOMCAT_30
                        DefaultServlet.java
  Log:
  Use case-sensitive check, even on windows. That should resolve special
  cases where the jsp source may be explosed by using case combinations.
  
  Revision  Changes    Path
  No                   revision
  
  
  No                   revision
  
  
  1.6.2.1   +9 -6      jakarta-tomcat/src/share/org/apache/tomcat/core/Attic/DefaultServlet.java
  
  Index: DefaultServlet.java
  ===================================================================
  RCS file: /home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/core/Attic/DefaultServlet.java,v
  retrieving revision 1.6
  retrieving revision 1.6.2.1
  diff -u -r1.6 -r1.6.2.1
  --- DefaultServlet.java	1999/11/08 03:58:38	1.6
  +++ DefaultServlet.java	2001/01/04 22:38:56	1.6.2.1
  @@ -1,7 +1,7 @@
   /*
  - * $Header: /home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/core/Attic/DefaultServlet.java,v 1.6 1999/11/08 03:58:38 akv Exp $
  - * $Revision: 1.6 $
  - * $Date: 1999/11/08 03:58:38 $
  + * $Header: /home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/core/Attic/DefaultServlet.java,v 1.6.2.1 2001/01/04 22:38:56 costin Exp $
  + * $Revision: 1.6.2.1 $
  + * $Date: 2001/01/04 22:38:56 $
    *
    * ====================================================================
    *
  @@ -359,11 +359,14 @@
   	// So, a check for File.separatorChar='\\' ..... It hopefully
   	// happens on flavors of Windows.
   	if (File.separatorChar  == '\\') { 
  -		// On Windows check ignore case....
  -		if(!absPath.equalsIgnoreCase(canPath)) {
  +	    // On Windows check ignore case....
  +	    // This may introduce security problems
  +	    //		if(!absPath.equalsIgnoreCase(canPath)) {
  +	    // more restrictive check:
  +	    if(!absPath.equals(canPath)) {
   	    	response.sendError(response.SC_NOT_FOUND);
   	    	return;
  -		}
  +	    }
   	} else {
   		// The following code on Non Windows disallows ../ 
   		// in the path but also disallows symlinks....