https://issues.apache.org/bugzilla/show_bug.cgi?id=50026
Mark Thomas changed:
What|Removed |Added
Status|NEW |RESOLVED
Resolution|
https://issues.apache.org/bugzilla/show_bug.cgi?id=50026
--- Comment #15 from Mark Thomas 2011-01-05 11:48:05 EST ---
No. The view was that it was mis-configuration rather than a vulnerability (the
default servlet was never intended to be mapped to anything other than /).
--
Configure bugmail:
https://issues.apache.org/bugzilla/show_bug.cgi?id=50026
--- Comment #14 from Christopher Schultz
2011-01-05 11:30:07 EST ---
Has a CVE number been assigned to this? Seems there should be one, and this
vulnerability should be documented in Tomcat's security page(s).
--
Configure bugmail: https
https://issues.apache.org/bugzilla/show_bug.cgi?id=50026
--- Comment #13 from bozho 2010-10-26 15:09:44 EDT ---
> Insufficient, since that would expose other directories that a site might not
> want to give direct access to.
For example? How would other directories be protected?
> Because the
https://issues.apache.org/bugzilla/show_bug.cgi?id=50026
--- Comment #12 from Chuck Caldarale 2010-10-26
14:21:24 EDT ---
(In reply to comment #11)
> Instead of disallowing the whole remapping of the default servlet, can't this
> be implemented (as suggested) by using the getPathInfo(). for exam
https://issues.apache.org/bugzilla/show_bug.cgi?id=50026
--- Comment #11 from bozho 2010-10-26 13:38:27 EDT ---
Instead of disallowing the whole remapping of the default servlet, can't this
be implemented (as suggested) by using the getPathInfo(). for example:
String pathInfo = request.getPathIn
https://issues.apache.org/bugzilla/show_bug.cgi?id=50026
Mark Thomas changed:
What|Removed |Added
CC||gl...@abv.bg
--- Comment #10 from Ma
https://issues.apache.org/bugzilla/show_bug.cgi?id=50026
--- Comment #9 from Tim Whittington 2010-10-04 23:08:28 EDT
---
Fixes for DefaultServlet and WebdavServlet are committed for 7.0.x (will be in
7.0.4+) and proposed for 6.0.x.
Will need to check 5.5.x and see if a backport is required for
https://issues.apache.org/bugzilla/show_bug.cgi?id=50026
--- Comment #8 from Tim Whittington 2010-10-04 16:09:02 EDT
---
(In reply to comment #5)
> Some random thoughts:
> - The default Servlet doesn't *need* to support serving content from an
> arbitrary mapping. The user can just move the stat
https://issues.apache.org/bugzilla/show_bug.cgi?id=50026
--- Comment #7 from Tim Whittington 2010-10-03 16:54:25 EDT
---
> I personally can live with the WONTFIX, but this leaves a huge security hole
> for companies/ones who are using the DefaultServlet this way. This should
> probably better be
https://issues.apache.org/bugzilla/show_bug.cgi?id=50026
--- Comment #6 from balusc 2010-10-03 11:59:03 EDT ---
@Tim: that was one of my answers over there :) This issue is by the way
triggered by another Stackoverflow question (so it was not my intent to (ab)use
the default servlet like that)
ht
https://issues.apache.org/bugzilla/show_bug.cgi?id=50026
--- Comment #5 from Mark Thomas 2010-10-03 06:05:17 EDT ---
Some random thoughts:
- The default Servlet doesn't *need* to support serving content from an
arbitrary mapping. The user can just move the static content in the web-app to
the des
https://issues.apache.org/bugzilla/show_bug.cgi?id=50026
Tim Whittington changed:
What|Removed |Added
Priority|P2 |P3
Severity|critical
https://issues.apache.org/bugzilla/show_bug.cgi?id=50026
--- Comment #3 from Chuck Caldarale 2010-09-29
12:34:42 EDT ---
(In reply to comment #2)
> No, there are no directories like that in `/static` folder. It actually refers
> to the restricted directories in the context root.
The standard De
https://issues.apache.org/bugzilla/show_bug.cgi?id=50026
--- Comment #2 from balusc 2010-09-29 12:08:27 EDT ---
No, there are no directories like that in `/static` folder. It actually refers
to the restricted directories in the context root.
--
Configure bugmail: https://issues.apache.org/bugzi
https://issues.apache.org/bugzilla/show_bug.cgi?id=50026
--- Comment #1 from Pid 2010-09-29 11:57:22 EDT ---
(In reply to comment #0)
> The following in web.xml
>
>
> static
>
> org.apache.catalina.servlets.DefaultServlet
>
>
> static
> /static/*
>
16 matches
Mail list logo