[jboss-jira] [JBoss JIRA] (WFLY-8158) JSP source code leak when space and periods added at the end of the URL

Markus Wahl (JIRA) issues at jboss.org
Mon Feb 20 09:28:01 EST 2017 

    [ https://issues.jboss.org/browse/WFLY-8158?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13366242#comment-13366242 ] 

Markus Wahl commented on WFLY-8158:
-----------------------------------

Great. I will look into that commit. Thanks [~swd847]

BTW why can't we study the JIRA UNDERTOW-576 (or UNDERTOW-432 for that matter)? I received a response from a Vlastimil Elias (software engineer, jboss.org Development Team) who said it was because of a security issue. But since everything is readily accessibly via the public git-hib-repository I believe that response to not have much merit. Please, what is your opinion? Is it possible to change that policy so that we can inspect all JIRA-issues for undertow?


> JSP source code leak when space and periods added at the end of the URL
> -----------------------------------------------------------------------
>
>                 Key: WFLY-8158
>                 URL: https://issues.jboss.org/browse/WFLY-8158
>             Project: WildFly
>          Issue Type: Bug
>          Components: Web (Undertow)
>    Affects Versions: 8.2.0.Final
>         Environment: WildFly executing on Windows
>            Reporter: Markus Wahl
>            Assignee: Stuart Douglas
>            Priority: Blocker
>
> All of the following requests will return the jsp file content untransformed, meaning that the actual content of the jsp-file is returned to the browser.
> {code}
> http://localhost:8080/application/HostPage.jsp%2E
> http://localhost:8080/application/HostPage.jsp%2E%2E
> http://localhost:8080/application/HostPage.jsp%20%2E
> http://localhost:8080/application/HostPage.jsp%20%2E%2E
> {code}
> The problem with periods has perhaps to do with windows removing/accepting trailing periods in file names: [here|http://stackoverflow.com/questions/17746494/why-is-directory-name-which-contains-dots-in-the-end-is-treated-as-a-directory], [and here|http://stackoverflow.com/questions/11681207/how-to-create-a-filename-with-a-trailing-period-in-windows/16203594#16203594] because {{io.undertow.server.handlers.resource.FileResourceManager.getResource()}} delegates to {{java.io.File}} to test whether a file path is valid or not, and {{java.io.File}} does presumably delegate to Windows.



--
This message was sent by Atlassian JIRA
(v7.2.3#72005)

More information about the jboss-jira mailing list