From: [EMAIL PROTECTED] (Kazuhiro Kazama)
Subject: Re: Bug Report #649
Date: Fri, 22 Dec 2000 11:43:01 +0900
Message-ID: [EMAIL PROTECTED]
This bug may be system dependent. Would you describe your OS and its
release?
I analyzed this problem in cooperation with JavaHouse-Brewers mailing
list (Java technical discussions in Japan) and found there are two
bugs.
These bugs resembles ServletExec JSP source disclosure vulnerability
(http://www.securityfocus.com/bid/1970) in situation.
1, When you adds "%20" (in fact, URL encoded character or its
sequences from %01 to %20) to an URL's end, Tomcat returns a JSP
source code instead of its result.
When you uses mod_jk and delegates all HTTP requests under the
directory specified by a "JkMount" directive to Tomcat, this bug comes
out.
Example:
http://localhost/examples/jsp/num/numguess.jsp%20
Workaround:
Apply an atached patch to your Tomcat 3.2.1. This patch removes extra
trim() which is remove U+ - U+0020 characters from an URL.
2, When you adds '.' or "%2E" (= '.') to an URL's end, Apache server
(not Tomcat) returns a JSP source code of JSP files.
This is a Windows bug and I confirmed it on Windows 98 and Windows
2000. But a security measure is needed to Apache server.
When you uses mod_jk on Windows and JSP files is accessible from your
apache server by adding an "Alias" directive, This bug comes out.
Example:
http://localhost/examples/jsp/num/numguess.jsp.
http://localhost/examples/jsp/num/numguess.jsp%2E
Workaround:
On Windows platform, don't use "Alias" directive for mounting your Web
application directory. Tomcat generates "mod_jk.conf-auto" has "Alias"
directives so that you should fix it on Windows.
This bug may be correctable but I have no time to fix Apache server. I
hope someone will inform better solution.
By the way, these bugs don't happen on Tomcat mod_jserv. But I don't
think that it is a good idea to use a mod_jserv module on Tomcat 3.2.1
because this behavior may depend anothor mod_jserv bugs.
Kazuhiro Kazama ([EMAIL PROTECTED]) NTT Network Innovation Laboratories
--- src/share/org/apache/tomcat/util/FileUtil.java.orig Sun Jan 14 16:25:12 2001
+++ src/share/org/apache/tomcat/util/FileUtil.java Thu Jan 18 11:46:39 2001
@@ -228,21 +228,19 @@
}
public static String patch(String path) {
- String patchPath = path.trim();
-
// Move drive spec to the front of the path
- if (patchPath.length() = 3
- patchPath.charAt(0) == '/'
- Character.isLetter(patchPath.charAt(1))
- patchPath.charAt(2) == ':') {
- patchPath=patchPath.substring(1,3)+"/"+patchPath.substring(3);
+ if (path.length() = 3
+ path.charAt(0) == '/'
+ Character.isLetter(path.charAt(1))
+ path.charAt(2) == ':') {
+ path=path.substring(1,3)+"/"+path.substring(3);
}
// Eliminate consecutive slashes after the drive spec
- if (patchPath.length() = 2
- Character.isLetter(patchPath.charAt(0))
- patchPath.charAt(1) == ':') {
- char[] ca = patchPath.replace('/', '\\').toCharArray();
+ if (path.length() = 2
+ Character.isLetter(path.charAt(0))
+ path.charAt(1) == ':') {
+ char[] ca = path.replace('/', '\\').toCharArray();
char c;
StringBuffer sb = new StringBuffer();
@@ -264,14 +262,14 @@
}
}
- patchPath = sb.toString();
+ path = sb.toString();
}
// fix path on NetWare - all '/' become '\\' and remove duplicate '\\'
if (System.getProperty("os.name").startsWith("NetWare")
path.length() =3
path.indexOf(':') 0) {
-char ca[] = patchPath.replace('/', '\\').toCharArray();
+char ca[] = path.replace('/', '\\').toCharArray();
StringBuffer sb = new StringBuffer();
for (int i = 0; i ca.length; i++) {
if ((ca[i] != '\\') ||
@@ -279,9 +277,9 @@
sb.append(ca[i]);
}
}
-patchPath = sb.toString();
+path = sb.toString();
}
- return patchPath;
+ return path;
}
public static boolean isAbsolute( String path ) {
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]
