7 Replies Latest reply on May 6, 2015 2:01 PM by ctomc

With trailing slash in URL , jsp show source code

abhinav.gupta01 Apr 29, 2015 7:18 AM

Hi All,

we have application deployed over wildfly 8.1 . All works fine for jsps , but whenver I put a slash , broswer shows source code of jsp. This is an issue from security.

Can I handle this at wildfly or undertow configuration level .

For example :

http://localhost:8080/TaskManager/login.jsp/ - show jsp source code

http://localhost:8080/TaskManager/login.jsp - works perfect

One solution I am aware of is to put all my jsp inside WEB-INF , but I am looking to handle it at server level.

Id it possible , if yes how ? Please help

Thanks,

Abhinav

1. Re: With trailing slash in URL , jsp show source code

abhinav.gupta01 May 5, 2015 1:25 AM (in response to abhinav.gupta01)

Guys.. Please share your views.. ilya_shaikovsky
Actions
2. Re: With trailing slash in URL , jsp show source code

ctomc May 5, 2015 4:49 AM (in response to abhinav.gupta01)

how does your web.xml look like?

or even better, can you share a war that reproduces this?
Actions
3. Re: With trailing slash in URL , jsp show source code

abhinav.gupta01 May 6, 2015 1:28 AM (in response to abhinav.gupta01)

Hello Tomaz,

I am able to reproduce this issue with wildfly logging quickstart.

If I use URL , http://localhost:8080/jboss-logging/home.jsp/ - I see content of jsp..
And http://localhost:8080/jboss-logging/home.jsp and this works fine.

Shared war file at https://www.dropbox.com/s/8qbec3n22btg7mf/jboss-logging.war?dl=0
Please have a look once you have some time available .

Thanks in advance for helping me here.

Same question I posted on stackoverflow :

http://stackoverflow.com/questions/30028346/with-trailing-slash-in-url-jsp-show-source-code

Thanks,
Abhinav
Actions
4. Re: With trailing slash in URL , jsp show source code

jaysensharma May 6, 2015 1:35 AM (in response to abhinav.gupta01)

It related to : https://issues.jboss.org/browse/UNDERTOW-432
Undertow Fix Version/s: 1.0.18.Final, 1.1.5.Final, 1.2.5.Final
Actions
5. Re: With trailing slash in URL , jsp show source code

jcacek May 6, 2015 5:56 AM (in response to abhinav.gupta01)

This bug is (also) present in WildFly 9.0 CR1, I've reported a new issue for it:
[WFLY-4595] JSP source code leak when a slash added at the end of the URL - JBoss Issue Tracker
Actions
6. Re: With trailing slash in URL , jsp show source code

abhinav.gupta01 May 6, 2015 12:04 PM (in response to abhinav.gupta01)

Thanks All.
This is a bug on undertow server. I check master branch and fix is merge TODAY..
I picked io.undertow.servlet.handlers.DefaultServlet from master and see below is change for that :

if(path.endsWith("/")) {
                //UNDERTOW-432
                resp.sendError(404);
                return;
            }
As a workaround for now , I pick source of undertow for 8.1 WildFly version , add above code in that and add new class file to my existing jar. This solve issue.

I am not sure what is process to get patch for this in wildfly .. for both 8.1 Final and 8.2 Final release. If some one is aware of please enlighten me.

Thanks
Abhinav
Actions
7. Re: With trailing slash in URL , jsp show source code

ctomc May 6, 2015 2:01 PM (in response to abhinav.gupta01)

it is fixed in undertow 1.2.5
PR with undertow upgrade that contains a fix
https://github.com/wildfly/wildfly-core/pull/684
https://github.com/wildfly/wildfly-core/pull/685
Actions

Go to original post