In article <cvs commit: jakarta-tomcat/src/share/org/apache/tomcat/util/io
FileUtil.java>,
[EMAIL PROTECTED] writes:
|larryi 01/03/01 10:05:07
|
| Modified: src/share/org/apache/tomcat/util/io FileUtil.java
| Log:
| Removed the "trim" in patch() method to avoid security hole. A file ending
| in ".jsp%20" would not be considered a JSP page, but could still be served,
| probably statically, if the trailing space is removed. The sanity and watchdog
| tests still pass.
|
| Submitted by: Kazuhiro Kazama
|
| This fixes direct access to Tomcat. The impact on access through mod_jserv
| and mod_jk still need to be checked.
|
| Revision Changes Path
| 1.2 +4 -4
|jakarta-tomcat/src/share/org/apache/tomcat/util/io/FileUtil.java
This patch should apply to tomcat_32 branch too.
Tomcat 3.2.X has same security problem.
--- Yoshiyuki Karezaki [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]
