Re: svn commit: r496022 - in /tomcat: container/tc5.5.x/webapps/docs/changelog.xml jasper/tc5.5.x/src/share/org/apache/jasper/servlet/JspServlet.java
Is this screaming XSS attack?
Since javadocs in getRequestURI() say ... The web container does not
decode this String
-Tim
[EMAIL PROTECTED] wrote:
Author: markt
Date: Sat Jan 13 18:45:48 2007
New Revision: 496022
URL: http://svn.apache.org/viewvc?view=revrev=496022
Modified:
tomcat/jasper/tc5.5.x/src/share/org/apache/jasper/servlet/JspServlet.java
URL:
http://svn.apache.org/viewvc/tomcat/jasper/tc5.5.x/src/share/org/apache/jasper/servlet/JspServlet.java?view=diffrev=496022r1=496021r2=496022
==
--- tomcat/jasper/tc5.5.x/src/share/org/apache/jasper/servlet/JspServlet.java
(original)
+++ tomcat/jasper/tc5.5.x/src/share/org/apache/jasper/servlet/JspServlet.java
Sat Jan 13 18:45:48 2007
@@ -301,7 +301,7 @@
// creating unnecessary directories and files.
if (null == context.getResource(jspUri)) {
response.sendError(HttpServletResponse.SC_NOT_FOUND,
- jspUri);
+ request.getRequestURI());
return;
}
boolean isErrorPage = exception != null;
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: svn commit: r496022 - in /tomcat: container/tc5.5.x/webapps/docs/changelog.xml jasper/tc5.5.x/src/share/org/apache/jasper/servlet/JspServlet.java
Tim Funk wrote: Is this screaming XSS attack? Since javadocs in getRequestURI() say ... The web container does not decode this String It would be if it wasn't for line 177 of o.a.c.valves.ErrorReportValve which does: String message = RequestUtil.filter(response.getMessage()); Mark - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: svn commit: r496022 - in /tomcat: container/tc5.5.x/webapps/docs/changelog.xml jasper/tc5.5.x/src/share/org/apache/jasper/servlet/JspServlet.java
Sweet - I thought that was the case. [But wanted to make sure.] -Tim Mark Thomas wrote: Tim Funk wrote: Is this screaming XSS attack? Since javadocs in getRequestURI() say ... The web container does not decode this String It would be if it wasn't for line 177 of o.a.c.valves.ErrorReportValve which does: String message = RequestUtil.filter(response.getMessage()); - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
svn commit: r496022 - in /tomcat: container/tc5.5.x/webapps/docs/changelog.xml jasper/tc5.5.x/src/share/org/apache/jasper/servlet/JspServlet.java
Author: markt
Date: Sat Jan 13 18:45:48 2007
New Revision: 496022
URL: http://svn.apache.org/viewvc?view=revrev=496022
Log:
Fix bug 41327. Show full request URI for a 404. Patch provided by Vijay.
Modified:
tomcat/container/tc5.5.x/webapps/docs/changelog.xml
tomcat/jasper/tc5.5.x/src/share/org/apache/jasper/servlet/JspServlet.java
Modified: tomcat/container/tc5.5.x/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/container/tc5.5.x/webapps/docs/changelog.xml?view=diffrev=496022r1=496021r2=496022
==
--- tomcat/container/tc5.5.x/webapps/docs/changelog.xml (original)
+++ tomcat/container/tc5.5.x/webapps/docs/changelog.xml Sat Jan 13 18:45:48 2007
@@ -228,6 +228,10 @@
subsection name=Jasper
changelog
fix
+bug39975/bug: don't have static Log references to prevent
+classloader leaks. (yoavs)
+ /fix
+ fix
bug40797/bug: This was a regression as a result of the fix for
bug33407/bug. TLD validation was failing as a result of the use
of the escape character (0x1b) as a temporary replacement for \$.
@@ -238,15 +242,16 @@
bug41057/bug: Make jsp:plugin output XHTML compliant. (markt)
/fix
fix
+bug41327/bug: Show full URI for a 404. Patch provided by Vijay.
+(markt)
+ /fix
+ fix
When displaying JSP source after an exception, handle included files.
(markt)
/fix
fix
Display the JSP source when a compilation error occurs and display
the correct line number rather than start of a scriptlet block. (markt)
- /fix
- fix
-bug39975/bug: don't have static Log references to prevent
classloader leaks. (yoavs)
/fix
/changelog
/subsection
Modified:
tomcat/jasper/tc5.5.x/src/share/org/apache/jasper/servlet/JspServlet.java
URL:
http://svn.apache.org/viewvc/tomcat/jasper/tc5.5.x/src/share/org/apache/jasper/servlet/JspServlet.java?view=diffrev=496022r1=496021r2=496022
==
--- tomcat/jasper/tc5.5.x/src/share/org/apache/jasper/servlet/JspServlet.java
(original)
+++ tomcat/jasper/tc5.5.x/src/share/org/apache/jasper/servlet/JspServlet.java
Sat Jan 13 18:45:48 2007
@@ -301,7 +301,7 @@
// creating unnecessary directories and files.
if (null == context.getResource(jspUri)) {
response.sendError(HttpServletResponse.SC_NOT_FOUND,
- jspUri);
+ request.getRequestURI());
return;
}
boolean isErrorPage = exception != null;
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
