Re: svn commit: r496022 - in /tomcat: container/tc5.5.x/webapps/docs/changelog.xml jasper/tc5.5.x/src/share/org/apache/jasper/servlet/JspServlet.java
Is this screaming XSS attack? Since javadocs in getRequestURI() say ... The web container does not decode this String -Tim [EMAIL PROTECTED] wrote: Author: markt Date: Sat Jan 13 18:45:48 2007 New Revision: 496022 URL: http://svn.apache.org/viewvc?view=revrev=496022 Modified: tomcat/jasper/tc5.5.x/src/share/org/apache/jasper/servlet/JspServlet.java URL: http://svn.apache.org/viewvc/tomcat/jasper/tc5.5.x/src/share/org/apache/jasper/servlet/JspServlet.java?view=diffrev=496022r1=496021r2=496022 == --- tomcat/jasper/tc5.5.x/src/share/org/apache/jasper/servlet/JspServlet.java (original) +++ tomcat/jasper/tc5.5.x/src/share/org/apache/jasper/servlet/JspServlet.java Sat Jan 13 18:45:48 2007 @@ -301,7 +301,7 @@ // creating unnecessary directories and files. if (null == context.getResource(jspUri)) { response.sendError(HttpServletResponse.SC_NOT_FOUND, - jspUri); + request.getRequestURI()); return; } boolean isErrorPage = exception != null; - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: svn commit: r496022 - in /tomcat: container/tc5.5.x/webapps/docs/changelog.xml jasper/tc5.5.x/src/share/org/apache/jasper/servlet/JspServlet.java
Tim Funk wrote: Is this screaming XSS attack? Since javadocs in getRequestURI() say ... The web container does not decode this String It would be if it wasn't for line 177 of o.a.c.valves.ErrorReportValve which does: String message = RequestUtil.filter(response.getMessage()); Mark - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: svn commit: r496022 - in /tomcat: container/tc5.5.x/webapps/docs/changelog.xml jasper/tc5.5.x/src/share/org/apache/jasper/servlet/JspServlet.java
Sweet - I thought that was the case. [But wanted to make sure.] -Tim Mark Thomas wrote: Tim Funk wrote: Is this screaming XSS attack? Since javadocs in getRequestURI() say ... The web container does not decode this String It would be if it wasn't for line 177 of o.a.c.valves.ErrorReportValve which does: String message = RequestUtil.filter(response.getMessage()); - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
svn commit: r496022 - in /tomcat: container/tc5.5.x/webapps/docs/changelog.xml jasper/tc5.5.x/src/share/org/apache/jasper/servlet/JspServlet.java
Author: markt Date: Sat Jan 13 18:45:48 2007 New Revision: 496022 URL: http://svn.apache.org/viewvc?view=revrev=496022 Log: Fix bug 41327. Show full request URI for a 404. Patch provided by Vijay. Modified: tomcat/container/tc5.5.x/webapps/docs/changelog.xml tomcat/jasper/tc5.5.x/src/share/org/apache/jasper/servlet/JspServlet.java Modified: tomcat/container/tc5.5.x/webapps/docs/changelog.xml URL: http://svn.apache.org/viewvc/tomcat/container/tc5.5.x/webapps/docs/changelog.xml?view=diffrev=496022r1=496021r2=496022 == --- tomcat/container/tc5.5.x/webapps/docs/changelog.xml (original) +++ tomcat/container/tc5.5.x/webapps/docs/changelog.xml Sat Jan 13 18:45:48 2007 @@ -228,6 +228,10 @@ subsection name=Jasper changelog fix +bug39975/bug: don't have static Log references to prevent +classloader leaks. (yoavs) + /fix + fix bug40797/bug: This was a regression as a result of the fix for bug33407/bug. TLD validation was failing as a result of the use of the escape character (0x1b) as a temporary replacement for \$. @@ -238,15 +242,16 @@ bug41057/bug: Make jsp:plugin output XHTML compliant. (markt) /fix fix +bug41327/bug: Show full URI for a 404. Patch provided by Vijay. +(markt) + /fix + fix When displaying JSP source after an exception, handle included files. (markt) /fix fix Display the JSP source when a compilation error occurs and display the correct line number rather than start of a scriptlet block. (markt) - /fix - fix -bug39975/bug: don't have static Log references to prevent classloader leaks. (yoavs) /fix /changelog /subsection Modified: tomcat/jasper/tc5.5.x/src/share/org/apache/jasper/servlet/JspServlet.java URL: http://svn.apache.org/viewvc/tomcat/jasper/tc5.5.x/src/share/org/apache/jasper/servlet/JspServlet.java?view=diffrev=496022r1=496021r2=496022 == --- tomcat/jasper/tc5.5.x/src/share/org/apache/jasper/servlet/JspServlet.java (original) +++ tomcat/jasper/tc5.5.x/src/share/org/apache/jasper/servlet/JspServlet.java Sat Jan 13 18:45:48 2007 @@ -301,7 +301,7 @@ // creating unnecessary directories and files. if (null == context.getResource(jspUri)) { response.sendError(HttpServletResponse.SC_NOT_FOUND, - jspUri); + request.getRequestURI()); return; } boolean isErrorPage = exception != null; - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]