[EMAIL PROTECTED] wrote:
>
> craigmcc 01/05/11 16:20:12
>
> Modified: catalina/src/share/org/apache/catalina/core
> LocalStrings.properties StandardContextMapper.java
> Log:
> Return error 400 if the user uses invalid characters (including %00 and
> %7f) in a URI. This fixes a security vulnerability, present in 4.0-b4,
> that exposes JSP source code when you request:
>
> http://localhost:8080/examples/jsp/num/numguess.jsp%00
>
> [...]
Shouldn't we post a security "hotfix" or cut a new beta release? This seems
like a pretty major security flaw.
..bip