I am still unable to reproduce this. I am running Tomcat standalone
on Win2000 and behind IIS on NT4, neither exhibit the problem you are
describing, or the one that you linked to. Both of my systems are using
Sun's Java 1.2.2_007.
Could it be that somehow your IIS configuration is serving this up?
If the Cold Fusion patch was from Microsoft it seems like IIS might be doing
some strange things - I would suggest moving all of your JSPs outside of
inetpub in order to prevent IIS from finding it (just as a test).
Have you done anything to your server.xml file or web.xml file?
Perhaps you have stumbled onto a configuration that causes this bug. (My
configuration is pretty close to the default with the modification of
dropping HTTP on the server and adding servlet mappings for my webapp)
Randy
> -----Original Message-----
> From: Venkat [mailto:[EMAIL PROTECTED]]
> Sent: Friday, June 08, 2001 12:54 AM
> To: [EMAIL PROTECTED]
> Subject: Re: Source script reveal bug
>
>
> Please take a look at this url:
> http://w6.metronet.com/~wjm/tomcat/2001/Apr/msg00163.html
>
> My current version is 3.2.1, I upgraded to latest 3.2.2 but
> of no use, the
> bug still exists. Anything wrong with my upgrade
>
> Thanks
>
> Venkat
> ----- Original Message -----
> From: "Mark Howell" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Friday, June 08, 2001 12:33 PM
> Subject: Re: Source script reveal bug
>
>
> > I know that the release notes for tomcat 4 beta 5 state
> that appending the
> > string "%00" to the end of the JSP url will reveal the
> source code, but it
> was
> > referring to tc4 betas prior to beta 5. Is this the issue
> you're talking
> > about?
> >
> > -Mark Howell
> > [EMAIL PROTECTED]
> > http://nullcraft.org
> >
> > Venkat wrote:
> > >
> > > Hi All
> > >
> > > Since I could not get a solution from the archives, this
> posting is
> > > inevitable
> > >
> > > I'm using Tomcat 3.2.1 on my production server on Win2K
> with IIS 5. I
> > > recently come across about a bug in this version of
> Tomcat which reveals
> JSP
> > > script source code by URL trickery. I hope many of you
> guys there are
> aware
> > > of it and fixed it too. I wish to know that is it a bug
> in Windows
> platform
> > > (because coldfusion on windows has similar problem add
> +.htr to your cfm
> url
> > > reveals cfm source code, and MS has a fix for NT 4.0 and win2K)
> > >
> > > If it's a bug in Tomcat, is there a fix for it and how to
> do it. Please
> > > reply with complete details/urls
> > >
> > > Regards
> > >
> > > Venkat
> > >
> > > _________________________________________________________
> > > Do You Yahoo!?
> > > Get your free @yahoo.com address at http://mail.yahoo.com
>
>
> _________________________________________________________
> Do You Yahoo!?
> Get your free @yahoo.com address at http://mail.yahoo.com
>
