[jboss-jira] [JBoss JIRA] (WFLY-8158) JSP source code leak when space and periods added at the end of the URL
Stuart Douglas (JIRA)
issues at jboss.org
Fri Feb 17 16:33:00 EST 2017
[ https://issues.jboss.org/browse/WFLY-8158?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Stuart Douglas resolved WFLY-8158.
----------------------------------
Resolution: Duplicate Issue
Duplicate of UNDERTOW-576 which was fixed by https://github.com/undertow-io/undertow/commit/b1df3310f50a7cf45160194a18f15dc4ddc623bb
> JSP source code leak when space and periods added at the end of the URL
> -----------------------------------------------------------------------
>
> Key: WFLY-8158
> URL: https://issues.jboss.org/browse/WFLY-8158
> Project: WildFly
> Issue Type: Bug
> Components: Web (Undertow)
> Affects Versions: 8.2.0.Final
> Environment: WildFly executing on Windows
> Reporter: Markus Markus
> Assignee: Stuart Douglas
> Priority: Blocker
>
> All of the following requests will return the jsp file content untransformed, meaning that the actual content of the jsp-file is returned to the browser.
> {code}
> http://localhost:8080/application/HostPage.jsp%2E
> http://localhost:8080/application/HostPage.jsp%2E%2E
> http://localhost:8080/application/HostPage.jsp%20%2E
> http://localhost:8080/application/HostPage.jsp%20%2E%2E
> {code}
> The problem with periods has perhaps to do with windows removing/accepting trailing periods in file names: [here|http://stackoverflow.com/questions/17746494/why-is-directory-name-which-contains-dots-in-the-end-is-treated-as-a-directory], [and here|http://stackoverflow.com/questions/11681207/how-to-create-a-filename-with-a-trailing-period-in-windows/16203594#16203594] because {{io.undertow.server.handlers.resource.FileResourceManager.getResource()}} delegates to {{java.io.File}} to test whether a file path is valid or not, and {{java.io.File}} does presumably delegate to Windows.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
More information about the jboss-jira
mailing list