"Craig R. McClanahan" wrote:
>
> Geert Van Damme wrote:
>
> > Hi,
> >
> > I'm mainly using JServ but now I'm experimenting a bit with tomcat and I
> > think I found an important security problem.
> >
> > If you request a jsp file but use .JSP (uppercase) instead of .jsp it
> > doesn't compile the jsp page but just serves you the jsp file with all the
> > code in it.
> >
> > First of all, I think it's important to tell that I'm using NT. I guess
> > that's where the problem comes from since NT file system is not case
> > sensitive (which I think is a GOOD thing :-). Anyway, I don't know if it's
> > only when I use the tomcat http server or anything else. I just discovered
> > it. Maybe it's even old news.
> > Anyone else seen this?
> >
>
> You are right about where the problem is (NT is not case sensitive). You are also
> right that it's old news. The important thing is that HTTP URLs are supposed to
> be case-sensitive, and the servlet specs follow the same rules. Therefore, ".jsp"
> and ".JSP" are different.
>
On the other hand, I know that Tomcat's default servlet *did* check for this at
some point, since it's a known security issue. Something must have changed lately,
so it may be worth taking a closer look. In the meantime, mapping all variations
of .jsp (.JSP, .jSP, etc.) is a work-around.
Hans
--
Hans Bergsten [EMAIL PROTECTED]
Gefion Software http://www.gefionsoftware.com
===========================================================================
To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST".
FAQs on JSP can be found at:
http://java.sun.com/products/jsp/faq.html
http://www.esperanto.org.nz/jsp/jspfaq.html
