Better fix for JSPWIKI-319 by actually checking for case properly.
git-svn-id: https://svn.apache.org/repos/asf/incubator/jspwiki/branches/JSPWIKI_2_6_BRANCH@686470 13f79535-47bb-0310-9956-ffa450edef68
diff --git a/src/com/ecyrd/jspwiki/attachment/AttachmentManager.java b/src/com/ecyrd/jspwiki/attachment/AttachmentManager.java
index b4ad1bc..e6d47b7 100644
--- a/src/com/ecyrd/jspwiki/attachment/AttachmentManager.java
+++ b/src/com/ecyrd/jspwiki/attachment/AttachmentManager.java
@@ -612,12 +612,13 @@
//
filename = filename.trim();
- // If file name ends with .jsp, the user is being naughty!
- if ( filename.endsWith( ".jsp" ) || filename.endsWith( ".JSP" ) )
+ // If file name ends with .jsp or .jspf, the user is being naughty!
+ if( filename.toLowerCase().endsWith( ".jsp" ) || filename.toLowerCase().endsWith(".jspf") )
{
- AttachmentServlet.log.error( "Illegal file name." );
+ log.info( "Attempt to upload a file with a .jsp/.jspf extension. In certain cases this" +
+ " can trigger unwanted security side effects, so we're preventing it." );
- throw new WikiException( "Illegal file name." );
+ throw new WikiException( "Unwanted file name." );
}
//
