You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Bip Thelin <bi...@razorfish.com> on 2001/05/12 02:07:27 UTC
Re: cvs commit:
jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/coreLocalStrings.properties
StandardContextMapper.java
craigmcc@apache.org wrote:
>
> craigmcc 01/05/11 16:20:12
>
> Modified: catalina/src/share/org/apache/catalina/core
> LocalStrings.properties StandardContextMapper.java
> Log:
> Return error 400 if the user uses invalid characters (including %00 and
> %7f) in a URI. This fixes a security vulnerability, present in 4.0-b4,
> that exposes JSP source code when you request:
>
> http://localhost:8080/examples/jsp/num/numguess.jsp%00
>
> [...]
Shouldn't we post a security "hotfix" or cut a new beta release? This seems
like a pretty major security flaw.
..bip
Re: cvs commit: jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/coreLocalStrings.properties
StandardContextMapper.java
Posted by "Craig R. McClanahan" <cr...@apache.org>.
On Fri, 11 May 2001, Bip Thelin wrote:
> craigmcc@apache.org wrote:
> >
> > craigmcc 01/05/11 16:20:12
> >
> > Modified: catalina/src/share/org/apache/catalina/core
> > LocalStrings.properties StandardContextMapper.java
> > Log:
> > Return error 400 if the user uses invalid characters (including %00 and
> > %7f) in a URI. This fixes a security vulnerability, present in 4.0-b4,
> > that exposes JSP source code when you request:
> >
> > http://localhost:8080/examples/jsp/num/numguess.jsp%00
> >
> > [...]
>
> Shouldn't we post a security "hotfix" or cut a new beta release? This seems
> like a pretty major security flaw.
We will ... but this is not the only problem. I pulled the downloadable
directory for beta 4.
>
> ..bip
>
Craig