[jboss-jira] [JBoss JIRA] (WFLY-8158) JSP source code leak when space and periods added at the end of the URL

Markus Markus (JIRA) issues at jboss.org
Fri Feb 17 07:15:00 EST 2017 

    [ https://issues.jboss.org/browse/WFLY-8158?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13365368#comment-13365368 ] 

Markus Markus commented on WFLY-8158:
-------------------------------------

Note: we have +not+ tried to find out if the error is present on any other WildFly version (because we do not use any other WildFly version for the particular use case where this bug is of importance to us)

> JSP source code leak when space and periods added at the end of the URL
> -----------------------------------------------------------------------
>
>                 Key: WFLY-8158
>                 URL: https://issues.jboss.org/browse/WFLY-8158
>             Project: WildFly
>          Issue Type: Bug
>          Components: Web (Undertow)
>    Affects Versions: 8.2.0.Final
>         Environment: WildFly executing on Windows
>            Reporter: Markus Markus
>            Assignee: Stuart Douglas
>            Priority: Blocker
>
> All of the following requests will return the jsp file content untransformed, meaning that the actual content of the jsp-file is returned to the browser.
> {code}
> http://localhost:8080/application/HostPage.jsp%2E
> http://localhost:8080/application/HostPage.jsp%2E%2E
> http://localhost:8080/application/HostPage.jsp%20%2E
> http://localhost:8080/application/HostPage.jsp%20%2E%2E
> {code}
> The problem with periods has perhaps to do with windows removing/accepting trailing periods in file names: [here|http://stackoverflow.com/questions/17746494/why-is-directory-name-which-contains-dots-in-the-end-is-treated-as-a-directory], [and here|http://stackoverflow.com/questions/11681207/how-to-create-a-filename-with-a-trailing-period-in-windows/16203594#16203594] because {{io.undertow.server.handlers.resource.FileResourceManager.getResource()}} delegates to {{java.io.File}} to test whether a file path is valid or not, and {{java.io.File}} does presumably delegate to Windows.



--
This message was sent by Atlassian JIRA
(v7.2.3#72005)

More information about the jboss-jira mailing list