larryi 01/05/15 06:09:20
Modified: src/tests/webpages/WEB-INF test-tomcat.xml
Log:
Add tests to check if "escaped" URL's are able to cause JSP source to
be served.
Revision Changes Path
1.29 +67 -2 jakarta-tomcat/src/tests/webpages/WEB-INF/test-tomcat.xml
Index: test-tomcat.xml
===================================================================
RCS file: /home/cvs/jakarta-tomcat/src/tests/webpages/WEB-INF/test-tomcat.xml,v
retrieving revision 1.28
retrieving revision 1.29
diff -u -r1.28 -r1.29
--- test-tomcat.xml 2001/03/11 21:41:41 1.28
+++ test-tomcat.xml 2001/05/15 13:09:16 1.29
@@ -16,7 +16,7 @@
early tests.
-->
- <property name="revision" value="$Revision: 1.28 $" />
+ <property name="revision" value="$Revision: 1.29 $" />
<property name="host" value="127.0.0.1" />
<property name="port" value="8080" />
<property name="outputType" value="text" />
@@ -1111,10 +1111,75 @@
<gtest request="GET /test/meta-inf/Manifest.mf HTTP/1.0"
returnCode="${http.protocol} 4" />
+ </target>
+
+ <target name="security_chk">
<gtest description="This URL should return 404 Not Found"
request="GET /test/jsp/HelloWorld.jsp%20 HTTP/1.0"
returnCode="${http.protocol} 404"
/>
+
+ <gtest description="This URL should return 404 Not Found"
+ request="GET /test/jsp/HelloWorld.jsp%2520 HTTP/1.0"
+ returnCode="${http.protocol} 404"
+ />
+
+ <gtest description="This URL should return 404 Not Found"
+ request="GET /test/jsp/HelloWorld.jsp%00 HTTP/1.0"
+ returnCode="${http.protocol} 404"
+ />
+
+ <gtest description="This URL should return 404 Not Found"
+ request="GET /%2e%2e/%2e%2e/%00.jsp HTTP/1.0"
+ returnCode="${http.protocol} 404"
+ />
+
+ <gtest description="This URL should return 404 Not Found"
+ request="GET /%252e%252e/%252e%252e/%00.jsp HTTP/1.0"
+ returnCode="${http.protocol} 404"
+ />
+
+ <gtest description="This URL should return 404 Not Found"
+ request="GET /%2e%2e/%2e%2e/%5cLICENSE%00.jsp HTTP/1.0"
+ returnCode="${http.protocol} 404"
+ />
+
+ <gtest description="This URL should return 404 Not Found"
+ request="GET /%2e%2e/%2e%2e/%5cLICENSE/%00.jsp HTTP/1.0"
+ returnCode="${http.protocol} 404"
+ />
+
+ <gtest description="This URL should return 404 Not Found"
+ request="GET /%252e%252e/%252e%252e/%5cLICENSE%00.jsp HTTP/1.0"
+ returnCode="${http.protocol} 404"
+ />
+ <gtest description="This URL should return 404 Not Found"
+ request="GET /%252e%252e/%252e%252e/%5cLICENSE/%00.jsp HTTP/1.0"
+ returnCode="${http.protocol} 404"
+ />
+
+ <gtest description="This URL should return HTML, not JSP source"
+ request="GET /test/jsp/HelloWorld.js%70 HTTP/1.0"
+ returnCode="${http.protocol} 200"
+ goldenFile="${gdir}/HelloWorld.txt"
+ />
+
+ <gtest description="This URL should return HTML, not JSP source"
+ request="GET /test/jsp/HelloWorld.js%2570 HTTP/1.0"
+ returnCode="${http.protocol} 200"
+ goldenFile="${gdir}/HelloWorld.txt"
+ />
+ <gtest description="This URL should return HTML, not JSP source"
+ request="GET /test/jsp/HelloWorld%2Ejsp HTTP/1.0"
+ returnCode="${http.protocol} 200"
+ goldenFile="${gdir}/HelloWorld.txt"
+ />
+
+ <gtest description="This URL should return HTML, not JSP source"
+ request="GET /test/jsp/HelloWorld%252Ejsp HTTP/1.0"
+ returnCode="${http.protocol} 200"
+ goldenFile="${gdir}/HelloWorld.txt"
+ />
</target>
<target name="writer">
@@ -1135,7 +1200,7 @@
</target>
<!-- ==================== All targets ==================== -->
- <target name="client"
depends="file,params,writer,dispatch,get,requestMap,post,wrong_request,restricted,jsp,unavailable,headers">
+ <target name="client"
depends="file,params,writer,dispatch,get,requestMap,post,wrong_request,restricted,jsp,unavailable,headers,security_chk">
</target>
<!-- ==================== Aux targets ==================== -->
