cvs commit: jakarta-tomcat/src/examples/WEB-INF/classes/examples ShowSource.java
craigmcc00/12/09 19:07:51
Modified:src/examples/WEB-INF/classes/examples Tag: tomcat_32
ShowSource.java
Log:
Fix a security vulnerability -- the "ShowSource" custom tag in conjunction
with the "/examples/jsp/source.jsp page could be used to expose the contents
of sensitive information in the WEB-INF or META-INF directories.
Revision ChangesPath
No revision
No revision
1.4.4.1 +3 -1
jakarta-tomcat/src/examples/WEB-INF/classes/examples/ShowSource.java
Index: ShowSource.java
===
RCS file:
/home/cvs/jakarta-tomcat/src/examples/WEB-INF/classes/examples/ShowSource.java,v
retrieving revision 1.4
retrieving revision 1.4.4.1
diff -u -r1.4 -r1.4.4.1
--- ShowSource.java 2000/03/07 19:53:39 1.4
+++ ShowSource.java 2000/12/10 03:07:51 1.4.4.1
@@ -20,7 +20,9 @@
}
public int doEndTag() throws JspException {
- if (jspFile.indexOf( ".." ) >= 0)
+ if ((jspFile.indexOf( ".." ) >= 0) ||
+(jspFile.toUpperCase().indexOf("/WEB-INF/") != 0) ||
+(jspFile.toUpperCase().indexOf("/META-INF/") != 0))
throw new JspTagException("Invalid JSP file " + jspFile);
InputStream in
cvs commit: jakarta-tomcat/src/examples/WEB-INF/classes/examples ShowSource.java
marcsaeg01/06/14 08:23:47
Modified:src/examples/WEB-INF/classes/examples Tag: tomcat_32
ShowSource.java
Log:
The code that attempted to prevent exposing the contents of files in the WEB-INF and
META-INF directories was broken and actually prevented source files from being
displayed.
PR: 372
Submitted by: Tony Robertson ([EMAIL PROTECTED])
Revision ChangesPath
No revision
No revision
1.4.4.2 +2 -2
jakarta-tomcat/src/examples/WEB-INF/classes/examples/ShowSource.java
Index: ShowSource.java
===
RCS file:
/home/cvs/jakarta-tomcat/src/examples/WEB-INF/classes/examples/ShowSource.java,v
retrieving revision 1.4.4.1
retrieving revision 1.4.4.2
diff -u -r1.4.4.1 -r1.4.4.2
--- ShowSource.java 2000/12/10 03:07:51 1.4.4.1
+++ ShowSource.java 2001/06/14 15:23:46 1.4.4.2
@@ -21,8 +21,8 @@
public int doEndTag() throws JspException {
if ((jspFile.indexOf( ".." ) >= 0) ||
-(jspFile.toUpperCase().indexOf("/WEB-INF/") != 0) ||
-(jspFile.toUpperCase().indexOf("/META-INF/") != 0))
+(jspFile.toUpperCase().indexOf("/WEB-INF/") >= 0) ||
+(jspFile.toUpperCase().indexOf("/META-INF/") >= 0))
throw new JspTagException("Invalid JSP file " + jspFile);
InputStream in
cvs commit: jakarta-tomcat/src/examples/WEB-INF/classes/examples ShowSource.java
marcsaeg01/06/14 08:26:09
Modified:src/examples/WEB-INF/classes/examples ShowSource.java
Log:
Porting ShowSource.java from 3.2.x. This contains the code that prevents
the ShowSource servlet from displaying contents of files in WEB-INF and META-INF
directories.
PR: 372
Submitted by: Tony Robertson ([EMAIL PROTECTED])
Revision ChangesPath
1.5 +3 -1
jakarta-tomcat/src/examples/WEB-INF/classes/examples/ShowSource.java
Index: ShowSource.java
===
RCS file:
/home/cvs/jakarta-tomcat/src/examples/WEB-INF/classes/examples/ShowSource.java,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
--- ShowSource.java 2000/03/07 19:53:39 1.4
+++ ShowSource.java 2001/06/14 15:26:07 1.5
@@ -20,7 +20,9 @@
}
public int doEndTag() throws JspException {
- if (jspFile.indexOf( ".." ) >= 0)
+ if ((jspFile.indexOf( ".." ) >= 0) ||
+(jspFile.toUpperCase().indexOf("/WEB-INF/") >= 0) ||
+(jspFile.toUpperCase().indexOf("/META-INF/") >= 0))
throw new JspTagException("Invalid JSP file " + jspFile);
InputStream in
