Hi,
Sorry but bugrat swallowed the workaround:
You can install JSSE (Java security Extensions) and set the properties to
use the https URLStreamHandler included within there. (Put the JSSE jars in
your classpath and add
-Djava.protocol.handler.pkgs=com.sun.net.ssl.internal.www.protocol to your
Bug report #565 has just been filed.
You can view the report at the following URL:
http://znutar.cortexity.com/BugRatViewer/ShowReport/565
REPORT #565 Details.
Project: Tomcat
Category: Bug Report
SubCategory: New Bug Report
Class: swbug
State: received
Priority: high
Severity: critical
Hans Bergsten typed the following on 19:17 10/12/2000 -0800
But maybe I'm missing something. Are you saying the whole SSI processing
should be done as an interceptor instead of as a servlet?
Is this something that could be done as a Servlet 2.3 Filter, and so be
completely
container
Which can be a good thing if you're using Linux. But if you're doing
development on Windows, it's a PITA to take it to your Linux
box, and run it
through alien so you can put it on your Windows box.
I think RPM must/could be used in Unix world but on Windows
environnement you must use
Falcon cheetah [EMAIL PROTECTED] wrote:
I used to work in the second largest financial institute in the world, as they
call themselves, here in the US. And they were using stuff other than at that
time JServ and early version Tomcat.
I believe you're talking about BofA... They're using
Thanks, that is what I tought also, but that relative redirect is on the
welcome file code of tomcat so I was just verifying...
Benoit Lalumiere
Software Architect
Jambala Innovation Cell
Ericsson Canada (LMC)
-Original Message-
From: Joe Prevo [SMTP:[EMAIL PROTECTED]]
Sent: Friday,
Bug report #566 has just been filed.
You can view the report at the following URL:
http://znutar.cortexity.com/BugRatViewer/ShowReport/566
REPORT #566 Details.
Project: Jasper
Category: Bug Report
SubCategory: New Bug Report
Class: swbug
State: received
Priority: medium
Severity:
Wouldn't it be a better idea NOT to expand the contents of the WEB-INF
and META-INF directories along with the rest of the webapp and expand
them into some other directory instead?
Instead of making everything available and try to restrict access
afterwards, it would be much safer not to make it
Dear Arieh,
Thank you for your response but I am afraid it does not work!
I have entered the following lines in my server.xml file :
Connector className="org.apache.tomcat.service.PoolTcpConnector"
Parameter name="handler"
Hola Benoit:
properly. It
takes the host name from the request header but takes the
port from the web
server (from HttpRequestAdapter.getServerPort). therefore creating a
redirect url command with the right IP address but the wrong
port (in our
case 8080 i.o. 80). That seems to be a
I ma still using 3.1 but I looked at the code of 3.2 and it is doing the
same thing... from the redirect in the DefaultServlet class to the
toAbsolute method in the HttpServletResponseFacade class and the
HttpRequestAdapter.getServerPort() method
Can you tell me in which class you put a fix such
I ma still using 3.1 but I looked at the code of 3.2 and it
is doing the
same thing... from the redirect in the DefaultServlet class to the
toAbsolute method in the HttpServletResponseFacade class and the
HttpRequestAdapter.getServerPort() method
Have a look in the
yes it does solve the problem thanks, I guess I missed that change when I
did my diffs.
but where is the serverport initialized to -1, in the RequestImpl class, it
is still initialized to 0...
Benoit Lalumiere
Software Architect
Jambala Innovation Cell
Ericsson Canada (LMC)
-Original
Hi ppl:
I had posted a very simple query..but had
not received any comments. So am i the only unlucky person who's stuck on this
simple problem. Any suggestions are welcome plz.
I want Custom error pages, in my application, the
two solutions i have is to use the "ErrorDocument"
This sounds like an DNS issue. One of the things that
the Netscape plugin does is try to resolve the remote host name
(jk_nsapi_plugin.c line 405). This forces a DNS lookup which is notorious
for having problems on NetWare. There are a couple of ways around
it.
1. Make sure that the file
remm00/12/11 09:07:27
Modified:catalina/src/share/org/apache/catalina/servlets
DefaultServlet.java
Log:
- Fix a security problem where /WEB-INF could be accessed using a path like
//WEB-INF. Now, the path is normalized before checking for /WEB-INF.
hgomez 00/12/11 09:13:30
Modified:src/doc Tag: tomcat_32 tomcat-ssl-howto.html
Log:
Updated documentation on SSL (SSLVars)
Revision ChangesPath
No revision
No revision
1.1.2.2 +14 -3
craigmcc00/12/11 09:52:31
Modified:src/share/org/apache/tomcat/request Tag: tomcat_32
SimpleMapper1.java StaticInterceptor.java
Log:
Fix a security vulnerability that would display the contents of sensitive
files when a URL like this was used:
Kief Morris wrote:
Hans Bergsten typed the following on 19:17 10/12/2000 -0800
But maybe I'm missing something. Are you saying the whole SSI processing
should be done as an interceptor instead of as a servlet?
Is this something that could be done as a Servlet 2.3 Filter, and so be
(Don't ask me what I think of stupid operating systems that
accept "//" in a
pathname and simply ignore them like Linux does ... grrr).
SGI IRIX 6.5.8 and FreeBSD 4.1-STABLE also behave the same way, I would
expect all Unix machines to do the same.
-Dave
Hi,
The only feedback on the more specific proposal was from Costin
relating to Tomcat 3.3. I'm not sure if I should interpret this
as an overall -1 for committing any of these changes to Tomcat
3.2M1. I have no problem making these changes local to SAS
Institute's copy of Tomcat 3.2.
To
Attached are patches to StandardManager.java and SessionIdGenerator.java.
These changes cause the PRNG used to generate session ids to be initialized
when a context is initialized instead of when the first session id is
generated. The PRNG used by default in 3.2 (java.security.SecureRandom)
nacho 00/12/11 13:17:49
Modified:src/native/mod_jk/iis jk_isapi_plugin.c
Log:
Bug #61 http://znutar.cortexity.com/BugRatAdmin/ShowBug/61
Redirect fails with IE after posting a form to a servlet
Reported Solved by Joe Prevo ( [EMAIL PROTECTED] )
Revision Changes
nacho 00/12/11 13:18:26
Modified:src/native/iis Tag: tomcat_32 jk_isapi_plugin.c
Log:
Bug #61 http://znutar.cortexity.com/BugRatAdmin/ShowBug/61
Redirect fails with IE after posting a form to a servlet
Reported Solved by Joe Prevo ( [EMAIL PROTECTED] )
Revision
I am trying to get CVS working on my machine so I
can get download the latest Tomcat codebase but ... the documentation on the
website does not say what or how to get a login and password to the CVS
server. How do I get these so I can get access to the server? Any
help you can provide on
Bug report #567 has just been filed.
You can view the report at the following URL:
http://znutar.cortexity.com/BugRatViewer/ShowReport/567
REPORT #567 Details.
Project: Tomcat
Category: Bug Report
SubCategory: New Bug Report
Class: swbug
State: received
Priority: medium
Severity:
Hello,
I have installed Tomcat 3.1 on Solaris and I have
not modified any of the XML files so this is a pretty generic install. After
starting tomcat using ./tomcat.sh start
I issue the command:
./tomcat.sh stop to stop Tomcat and the
process does not stop.
It looks as if classes are
costin 00/12/11 16:42:50
Modified:src/facade22/org/apache/tomcat/facade
Servlet22Interceptor.java ServletWrapper.java
WebXmlReader.java
src/facade22/org/apache/tomcat/modules/facade22
I apologize. This question was supposed to be sent to tomcat-user.
-Original Message-
From: Cherie Yoon
Sent: Monday, December 11, 2000 6:32 PM
To: '[EMAIL PROTECTED]'
Subject: path
Hi,
I got apache-tomcat working on linux. now i would like to load jsp page
Over the last three days, a review of published and soon-to-be-published reports
of security vulnerabilities in Tomcat has uncovered a series of problems in the
3.1 final release, and a couple of less serious (but still significant) problems
in 3.2. Please vote (quickly) on the following two
I only applied a small patch to PoolTcpEndpoint.java.
I am directing this to the tomcat-dev list, there are
alot of different people who work on the tomcat source,
so this type of question is best directed to the list.
Glenn
Boon Hian Tek wrote:
Hi Glenn,
I saw that you were the last one
Proposal #1: Release a Tomcat 3.1.1 that fixes *only* the security
problems
+1.
Proposal #2: Release a Tomcat 3.2.1 that fixes the following security
problems
plus the patches committed to date.
+1.
Remy
On Mon, 11 Dec 2000, Sean wrote:
I am trying to get CVS working on my machine so I can get download the
latest Tomcat codebase but ... the documentation on the website does
not say what or how to get a login and password to the CVS server.
How do I get these so I can get access to the
craigmcc00/12/11 17:01:06
Modified:.Tag: TOMCAT_31_BRANCH build.xml
src/admin/WEB-INF Tag: TOMCAT_31_BRANCH web.xml
src/etc Tag: TOMCAT_31_BRANCH web.xml
src/examples/WEB-INF Tag: TOMCAT_31_BRANCH web.xml
"Craig R. McClanahan" wrote:
[...]
Proposal #1: Release a Tomcat 3.1.1 that fixes *only* the security problems
+0. Is removing TC 3.1 from the download pages an alternative? There shouldn't
be any reason for anyone to use TC 3.1 now when 3.2 is released. Upgrading to
3.2.1 could be the
craigmcc00/12/11 17:56:02
Modified:src/share/org/apache/tomcat/core Tag: TOMCAT_31_BRANCH
Constants.java
src/share/org/apache/tomcat/session Tag: TOMCAT_31_BRANCH
ServerSessionManager.java
src/webpages Tag:
Hans Bergsten wrote:
"Craig R. McClanahan" wrote:
[...]
Proposal #1: Release a Tomcat 3.1.1 that fixes *only* the security problems
+0. Is removing TC 3.1 from the download pages an alternative? There shouldn't
be any reason for anyone to use TC 3.1 now when 3.2 is released. Upgrading
on 12/11/2000 5:19 PM, "Craig R. McClanahan" [EMAIL PROTECTED]
wrote:
Over the last three days, a review of published and soon-to-be-published
reports
of security vulnerabilities in Tomcat has uncovered a series of problems in
the
3.1 final release, and a couple of less serious (but still
on 12/11/2000 5:59 PM, "Craig R. McClanahan" [EMAIL PROTECTED]
wrote:
I'm certainly game to remove 3.1 once we know that 3.1.1 doesn't introduce any
nasty
problems, but just removing 3.1 doesn't help all the thousands of people who
have
apps running on 3.1 and who cannot, for various
Proposal #1: Release a Tomcat 3.1.1 that fixes *only* the security
problems
+1
Proposal #2: Release a Tomcat 3.2.1 that fixes the following security
problems
plus the patches committed to date.
+ 1
Larry
craigmcc00/12/11 20:51:39
Modified:.Tag: tomcat_32 RELEASE-NOTES
src/share/org/apache/tomcat/core Tag: tomcat_32
Constants.java
src/webpages Tag: tomcat_32 index.html
Log:
Change version numbers (and update the release
BTW, another piece of feedback - would it be possible to implement part
of this as an interceptor ?
I was assuming for Tomcat 3.3 the JSP option properties would be
implemented in JspInterceptor since it is tied to Jasper anyway. Do you
have more general plans for JspInterceptor that would
On Mon, 11 Dec 2000, Craig R. McClanahan wrote:
Tomcat 3.2 final has the following security vulnerabilities that have
subsequently been fixed in the CVS repository:
* A URL like "http://localhost:8080/examples//WEB-INF/web.xml" can
expose sensitive information (note the double slash
remm00/12/11 23:50:17
Modified:catalina/src/share/org/apache/catalina/util RequestUtil.java
Log:
- Minor fix : will handle quoted charset names.
Revision ChangesPath
1.10 +8 -4
44 matches
Mail list logo
