cvs commit: jakarta-tomcat/src/examples/WEB-INF/classes/examples ShowSource.java
marcsaeg01/06/14 08:26:09 Modified:src/examples/WEB-INF/classes/examples ShowSource.java Log: Porting ShowSource.java from 3.2.x. This contains the code that prevents the ShowSource servlet from displaying contents of files in WEB-INF and META-INF directories. PR: 372 Submitted by: Tony Robertson ([EMAIL PROTECTED]) Revision ChangesPath 1.5 +3 -1 jakarta-tomcat/src/examples/WEB-INF/classes/examples/ShowSource.java Index: ShowSource.java === RCS file: /home/cvs/jakarta-tomcat/src/examples/WEB-INF/classes/examples/ShowSource.java,v retrieving revision 1.4 retrieving revision 1.5 diff -u -r1.4 -r1.5 --- ShowSource.java 2000/03/07 19:53:39 1.4 +++ ShowSource.java 2001/06/14 15:26:07 1.5 @@ -20,7 +20,9 @@ } public int doEndTag() throws JspException { - if (jspFile.indexOf( ".." ) >= 0) + if ((jspFile.indexOf( ".." ) >= 0) || +(jspFile.toUpperCase().indexOf("/WEB-INF/") >= 0) || +(jspFile.toUpperCase().indexOf("/META-INF/") >= 0)) throw new JspTagException("Invalid JSP file " + jspFile); InputStream in
cvs commit: jakarta-tomcat/src/examples/WEB-INF/classes/examples ShowSource.java
marcsaeg01/06/14 08:23:47 Modified:src/examples/WEB-INF/classes/examples Tag: tomcat_32 ShowSource.java Log: The code that attempted to prevent exposing the contents of files in the WEB-INF and META-INF directories was broken and actually prevented source files from being displayed. PR: 372 Submitted by: Tony Robertson ([EMAIL PROTECTED]) Revision ChangesPath No revision No revision 1.4.4.2 +2 -2 jakarta-tomcat/src/examples/WEB-INF/classes/examples/ShowSource.java Index: ShowSource.java === RCS file: /home/cvs/jakarta-tomcat/src/examples/WEB-INF/classes/examples/ShowSource.java,v retrieving revision 1.4.4.1 retrieving revision 1.4.4.2 diff -u -r1.4.4.1 -r1.4.4.2 --- ShowSource.java 2000/12/10 03:07:51 1.4.4.1 +++ ShowSource.java 2001/06/14 15:23:46 1.4.4.2 @@ -21,8 +21,8 @@ public int doEndTag() throws JspException { if ((jspFile.indexOf( ".." ) >= 0) || -(jspFile.toUpperCase().indexOf("/WEB-INF/") != 0) || -(jspFile.toUpperCase().indexOf("/META-INF/") != 0)) +(jspFile.toUpperCase().indexOf("/WEB-INF/") >= 0) || +(jspFile.toUpperCase().indexOf("/META-INF/") >= 0)) throw new JspTagException("Invalid JSP file " + jspFile); InputStream in
cvs commit: jakarta-tomcat/src/examples/WEB-INF/classes/examples ShowSource.java
craigmcc00/12/09 19:07:51 Modified:src/examples/WEB-INF/classes/examples Tag: tomcat_32 ShowSource.java Log: Fix a security vulnerability -- the "ShowSource" custom tag in conjunction with the "/examples/jsp/source.jsp page could be used to expose the contents of sensitive information in the WEB-INF or META-INF directories. Revision ChangesPath No revision No revision 1.4.4.1 +3 -1 jakarta-tomcat/src/examples/WEB-INF/classes/examples/ShowSource.java Index: ShowSource.java === RCS file: /home/cvs/jakarta-tomcat/src/examples/WEB-INF/classes/examples/ShowSource.java,v retrieving revision 1.4 retrieving revision 1.4.4.1 diff -u -r1.4 -r1.4.4.1 --- ShowSource.java 2000/03/07 19:53:39 1.4 +++ ShowSource.java 2000/12/10 03:07:51 1.4.4.1 @@ -20,7 +20,9 @@ } public int doEndTag() throws JspException { - if (jspFile.indexOf( ".." ) >= 0) + if ((jspFile.indexOf( ".." ) >= 0) || +(jspFile.toUpperCase().indexOf("/WEB-INF/") != 0) || +(jspFile.toUpperCase().indexOf("/META-INF/") != 0)) throw new JspTagException("Invalid JSP file " + jspFile); InputStream in