Hmmm...in 4.0.1sp1 I can not replicate that behavior.
Your configuration is probably different from mine, so here's some more info ... The url:
on my windows machine displays the contents of the file:
If you dont't have the file on your system, naturally it wouldn't show.
Also, I'm running Tomcat in capital-insensitive mode.
If the problem is solved in SP1 that would be great. There should be no way for hackers to look inside our WEB-INFs.
From the tomcat caseSensitive attribute configuration docs:
If the value of this flag is true, all case sensitivity checks will be disabled. If not specified, the default value of the flag is true.
NOTE: This flag MUST NOT be set to false on the Windows platform (or any other OS which does not have a case sensitive filesystem), as it will disable case sensitivity checks, allowing JSP source code disclosure, among other security problems.
Thanks for the info. This sounds unfortunate, since it means a large body of web-content developed in case-insensitive mode, could not be safely served on JBOSS/Tomcat - each and every hyperlink, and resource-reference, some dynamically generated, might stop working (because their case may now be wrong).
I wonder though, could case-sensitivity be the cause for the '.' -problem in my URL?
I looked at:
http://jakarta.apache.org/tomcat/tomcat-4.1-doc/config/resources.html and all it says about this attribute is:
This boolean flag toggles case sensitivity for resources on the Windows platform. Defaults to true.
Could you give us a link to the other piece of documentation you mention?
Thanks for the link. It seems the 'caseSensitive' -attribute can be set in two different places. One is within the CONTEXT element, as described in: http://jakarta.apache.org/tomcat/tomcat-5.0-doc/config/context.html
The other is within the RESOURCES element, as documented in: http://jakarta.apache.org/tomcat/tomcat-4.1-doc/config/resources.html
Only within the documentation for CONTEXT does it state that
"This flag MUST NOT be set to false on the Windows". The 2nd link on the other hand says:
"This boolean flag toggles case sensitivity for resources on the Windows platform. Defaults to true".
So the 2nd link would seem to say that the purpose of this attribute (within the RESOURCES section) is precisely to alter case-sensitivityon Windows, when needed! It seems the only reason to use it would be if you're running Windows.
This leaves me perplexed. If anybody knows of a test for checking whether this JSP vulnerability exists or not, on a given installation, I would be most greatful to learn about it. Maybe there's a way to guard against it too, by configuring the URL-patterns appropriately, etc.?