JSP source code leak when space and periods added at the end of the URL ----------------------------------------------------------------------- Key: WFLY-8158 URL: https://issues.jboss.org/browse/WFLY-8158 Project: WildFly Issue Type: Bug Components: Web (Undertow) Affects Versions: 8.2.0.Final Environment: WildFly executing on Windows Reporter: Markus Markus Assignee: Stuart Douglas Priority: Blocker All of the following requests will return the jsp file content untransformed, meaning that the actual content of the jsp-file is returned to the browser. {code} http://localhost:8080/application/HostPage.jsp%2E http://localhost:8080/application/HostPage.jsp%2E%2E http://localhost:8080/application/HostPage.jsp%20%2E http://localhost:8080/application/HostPage.jsp%20%2E%2E {code} The problem with periods has perhaps to do with windows removing/accepting trailing periods in file names: [here|http://stackoverflow.com/questions/17746494/why-is-directory-name-wh...], [and here|http://stackoverflow.com/questions/11681207/how-to-create-a-filename...] because {{io.undertow.server.handlers.resource.FileResourceManager.getResource()}} delegates to {{java.io.File}} to test whether a file path is valid or not, and {{java.io.File}} does presumably delegate to Windows.