Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
2.5.139-beta
-
None
-
Ubuntu Linux, JDK 1.5
Description
By manipulating the JSP fields directly, it's possible to upload a file (e.g. ".."), which ends up in the page directory under the name "..-att". This does not otherwise affect JSPWiki operation, but it does make that data inaccessible and invisible.
Proposal is to make sure that dots should also be escaped when saving a file.