Loading...

XML

Word

Printable

Git Pull Request:
https://github.com/wildfly/wildfly-core/pull/685, https://github.com/wildfly/wildfly-core/pull/684
Steps to Reproduce:
Hide

download and deploy the attached reproducer jsp-source.war

access index.jsp with trailing slah:

$ curl http://localhost:8080/jsp-source/index.jsp/ <%@ page language="java" errorPage="/error.jsp" pageEncoding="UTF-8" contentType="text/html;charset=utf-8" session="false" %> <%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %> <% // Can you see this text? Then you've reproduced the issue! System.out.println("JSP SOURCE LEAK REPRODUCER - Just put some text into the log file when we hit the JSP in the correct way... "); %> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> ...
Show
download and deploy the attached reproducer jsp-source.war access index.jsp with trailing slah: $ curl http: //localhost:8080/jsp-source/index.jsp/ <%@ page language= "java" errorPage= "/error.jsp" pageEncoding= "UTF-8" contentType= "text/html;charset=utf-8" session= " false " %> <%@ taglib uri= "http: //java.sun.com/jsp/jstl/core" prefix= "c" %> <% // Can you see this text? Then you've reproduced the issue! System .out.println( "JSP SOURCE LEAK REPRODUCER - Just put some text into the log file when we hit the JSP in the correct way... " ); %> <!DOCTYPE html PUBLIC "- //W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd" > <html> ...

When a trailing slash is added to a JSP URL (e.g. localhost:8080/my-app/index.jsp/) the source code of the JSP is downloaded/displayed.

This is a security issue, because users can have passwords to external systems directly stored in JSP source code.

This was originally reported by Abhinav Gupta on stackoverflow

clones

WFLY-4595 JSP source code leak when a slash added at the end of the URL