From: [EMAIL PROTECTED] (Kazuhiro Kazama) Subject: Re: Bug Report #649 Date: Fri, 22 Dec 2000 11:43:01 +0900 Message-ID: <[EMAIL PROTECTED]> > This bug may be system dependent. Would you describe your OS and its > release? I analyzed this problem in cooperation with JavaHouse-Brewers mailing list (Java technical discussions in Japan) and found there are two bugs. These bugs resembles ServletExec JSP source disclosure vulnerability (http://www.securityfocus.com/bid/1970) in situation. 1, When you adds "%20" (in fact, URL encoded character or its sequences from %01 to %20) to an URL's end, Tomcat returns a JSP source code instead of its result. When you uses mod_jk and delegates all HTTP requests under the directory specified by a "JkMount" directive to Tomcat, this bug comes out. Example: http://localhost/examples/jsp/num/numguess.jsp%20 Workaround: Apply an atached patch to your Tomcat 3.2.1. This patch removes extra trim() which is remove U+0000 - U+0020 characters from an URL. 2, When you adds '.' or "%2E" (= '.') to an URL's end, Apache server (not Tomcat) returns a JSP source code of JSP files. This is a Windows bug and I confirmed it on Windows 98 and Windows 2000. But a security measure is needed to Apache server. When you uses mod_jk on Windows and JSP files is accessible from your apache server by adding an "Alias" directive, This bug comes out. Example: http://localhost/examples/jsp/num/numguess.jsp. http://localhost/examples/jsp/num/numguess.jsp%2E Workaround: On Windows platform, don't use "Alias" directive for mounting your Web application directory. Tomcat generates "mod_jk.conf-auto" has "Alias" directives so that you should fix it on Windows. This bug may be correctable but I have no time to fix Apache server. I hope someone will inform better solution. By the way, these bugs don't happen on Tomcat & mod_jserv. But I don't think that it is a good idea to use a mod_jserv module on Tomcat 3.2.1 because this behavior may depend anothor mod_jserv bugs. Kazuhiro Kazama ([EMAIL PROTECTED]) NTT Network Innovation Laboratories
--- src/share/org/apache/tomcat/util/FileUtil.java.orig Sun Jan 14 16:25:12 2001 +++ src/share/org/apache/tomcat/util/FileUtil.java Thu Jan 18 11:46:39 2001 @@ -228,21 +228,19 @@ } public static String patch(String path) { - String patchPath = path.trim(); - // Move drive spec to the front of the path - if (patchPath.length() >= 3 && - patchPath.charAt(0) == '/' && - Character.isLetter(patchPath.charAt(1)) && - patchPath.charAt(2) == ':') { - patchPath=patchPath.substring(1,3)+"/"+patchPath.substring(3); + if (path.length() >= 3 && + path.charAt(0) == '/' && + Character.isLetter(path.charAt(1)) && + path.charAt(2) == ':') { + path=path.substring(1,3)+"/"+path.substring(3); } // Eliminate consecutive slashes after the drive spec - if (patchPath.length() >= 2 && - Character.isLetter(patchPath.charAt(0)) && - patchPath.charAt(1) == ':') { - char[] ca = patchPath.replace('/', '\\').toCharArray(); + if (path.length() >= 2 && + Character.isLetter(path.charAt(0)) && + path.charAt(1) == ':') { + char[] ca = path.replace('/', '\\').toCharArray(); char c; StringBuffer sb = new StringBuffer(); @@ -264,14 +262,14 @@ } } - patchPath = sb.toString(); + path = sb.toString(); } // fix path on NetWare - all '/' become '\\' and remove duplicate '\\' if (System.getProperty("os.name").startsWith("NetWare") && path.length() >=3 && path.indexOf(':') > 0) { - char ca[] = patchPath.replace('/', '\\').toCharArray(); + char ca[] = path.replace('/', '\\').toCharArray(); StringBuffer sb = new StringBuffer(); for (int i = 0; i < ca.length; i++) { if ((ca[i] != '\\') || @@ -279,9 +277,9 @@ sb.append(ca[i]); } } - patchPath = sb.toString(); + path = sb.toString(); } - return patchPath; + return path; } public static boolean isAbsolute( String path ) {
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]