costin 01/01/04 14:38:57 Modified: src/share/org/apache/tomcat/core Tag: latest_TOMCAT_30 DefaultServlet.java Log: Use case-sensitive check, even on windows. That should resolve special cases where the jsp source may be explosed by using case combinations. Revision Changes Path No revision No revision 1.6.2.1 +9 -6 jakarta-tomcat/src/share/org/apache/tomcat/core/Attic/DefaultServlet.java Index: DefaultServlet.java =================================================================== RCS file: /home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/core/Attic/DefaultServlet.java,v retrieving revision 1.6 retrieving revision 1.6.2.1 diff -u -r1.6 -r1.6.2.1 --- DefaultServlet.java 1999/11/08 03:58:38 1.6 +++ DefaultServlet.java 2001/01/04 22:38:56 1.6.2.1 @@ -1,7 +1,7 @@ /* - * $Header: /home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/core/Attic/DefaultServlet.java,v 1.6 1999/11/08 03:58:38 akv Exp $ - * $Revision: 1.6 $ - * $Date: 1999/11/08 03:58:38 $ + * $Header: /home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/core/Attic/DefaultServlet.java,v 1.6.2.1 2001/01/04 22:38:56 costin Exp $ + * $Revision: 1.6.2.1 $ + * $Date: 2001/01/04 22:38:56 $ * * ==================================================================== * @@ -359,11 +359,14 @@ // So, a check for File.separatorChar='\\' ..... It hopefully // happens on flavors of Windows. if (File.separatorChar == '\\') { - // On Windows check ignore case.... - if(!absPath.equalsIgnoreCase(canPath)) { + // On Windows check ignore case.... + // This may introduce security problems + // if(!absPath.equalsIgnoreCase(canPath)) { + // more restrictive check: + if(!absPath.equals(canPath)) { response.sendError(response.SC_NOT_FOUND); return; - } + } } else { // The following code on Non Windows disallows ../ // in the path but also disallows symlinks.... --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]