remm 01/04/02 01:41:48
Modified: catalina/src/share/org/apache/catalina/servlets
DefaultServlet.java
Log:
- Fixes security problem reported by Jon and an anonymous hacker.
Now http://127.0.0.1:8080/examples/jsp/dates/date%252ejsp returns 404,
while http://127.0.0.1:8080/examples/jsp/dates/date%2ejsp returns the result of
the execution of the JSP.
Now Craig is going to have a lot of fun building new binaries ;)
Revision Changes Path
1.32 +4 -6
jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/servlets/DefaultServlet.java
Index: DefaultServlet.java
===================================================================
RCS file:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/servlets/DefaultServlet.java,v
retrieving revision 1.31
retrieving revision 1.32
diff -u -r1.31 -r1.32
--- DefaultServlet.java 2001/03/23 02:55:44 1.31
+++ DefaultServlet.java 2001/04/02 08:41:45 1.32
@@ -1,7 +1,7 @@
/*
- * $Header:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/servlets/DefaultServlet.java,v
1.31 2001/03/23 02:55:44 remm Exp $
- * $Revision: 1.31 $
- * $Date: 2001/03/23 02:55:44 $
+ * $Header:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/servlets/DefaultServlet.java,v
1.32 2001/04/02 08:41:45 remm Exp $
+ * $Revision: 1.32 $
+ * $Date: 2001/04/02 08:41:45 $
*
* ====================================================================
*
@@ -122,7 +122,7 @@
*
* @author Craig R. McClanahan
* @author Remy Maucherat
- * @version $Revision: 1.31 $ $Date: 2001/03/23 02:55:44 $
+ * @version $Revision: 1.32 $ $Date: 2001/04/02 08:41:45 $
*/
public class DefaultServlet
@@ -868,8 +868,6 @@
// Placed at the beginning of the chain so that encoded
// bad stuff(tm) can be caught by the later checks
String normalized = path;
- if (normalized.indexOf('%') >= 0)
- normalized = RequestUtil.URLDecode(normalized, "UTF8");
if (normalized == null)
return (null);
