PQ91033; 5.0.2.7: Secure file served without
challenge
Downloadable files
Abstract
Some URIs may be served as plain text, with raw content
sent back to client.
Download Description
PQ91033 resolves the following problem:
ERROR DESCRIPTION
Requests for secure files may be served without challenge. This violates
file access security policy.
LOCAL FIX
PROBLEM SUMMARY
USERS AFFECTED
WebSphere application server users of SimpleFileServlet.
PROBLEM DESCRIPTION
URIs may be served as plain text, with raw content sent back to client.
RECOMMENDATION:
None
The web engine does not block some invalid URIs and instead sends raw
content to clients. In security mode, this type of URI can bypass security
challenge. This problem only occurs on Linux or UNIX systems.
PROBLEM CONCLUSION
SimpleFileServlet uses JDK java.io.File to validate requested resources.
Fixed SimpleFileServlet so that it blocked such invalid URIs.
Prerequisites
Please download the UpdateInstaller below to install this fix.