[jboss-jira] [JBoss JIRA] (WFLY-8158) JSP source code leak when space and periods added at the end of the URL
Markus Markus (JIRA)
issues at jboss.org
Fri Feb 17 06:53:00 EST 2017
Markus Markus created WFLY-8158:
-----------------------------------
Summary: JSP source code leak when space and periods added at the end of the URL
Key: WFLY-8158
URL: https://issues.jboss.org/browse/WFLY-8158
Project: WildFly
Issue Type: Bug
Components: Web (Undertow)
Affects Versions: 8.2.0.Final
Environment: WildFly executing on Windows
Reporter: Markus Markus
Assignee: Stuart Douglas
Priority: Blocker
All of the following requests will return the jsp file content untransformed, meaning that the actual content of the jsp-file is returned to the browser.
{code}
http://localhost:8080/application/HostPage.jsp%2E
http://localhost:8080/application/HostPage.jsp%2E%2E
http://localhost:8080/application/HostPage.jsp%20%2E
http://localhost:8080/application/HostPage.jsp%20%2E%2E
{code}
The problem with periods has perhaps to do with windows removing/accepting trailing periods in file names: [here|http://stackoverflow.com/questions/17746494/why-is-directory-name-which-contains-dots-in-the-end-is-treated-as-a-directory], [and here|http://stackoverflow.com/questions/11681207/how-to-create-a-filename-with-a-trailing-period-in-windows/16203594#16203594] because {{io.undertow.server.handlers.resource.FileResourceManager.getResource()}} delegates to {{java.io.File}} to test whether a file path is valid or not, and {{java.io.File}} does presumably delegate to Windows.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
More information about the jboss-jira
mailing list