craigmcc 01/05/14 19:50:12
Modified: . RELEASE-NOTES-4.0-B5.txt
catalina/src/share/org/apache/catalina Globals.java
webapps/ROOT index.html
Log:
Update release notes and public identifiers for "Tomcat 4.0-b5".
Revision Changes Path
1.2 +49 -1 jakarta-tomcat-4.0/RELEASE-NOTES-4.0-B5.txt
Index: RELEASE-NOTES-4.0-B5.txt
===================================================================
RCS file: /home/cvs/jakarta-tomcat-4.0/RELEASE-NOTES-4.0-B5.txt,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- RELEASE-NOTES-4.0-B5.txt 2001/05/11 05:55:11 1.1
+++ RELEASE-NOTES-4.0-B5.txt 2001/05/15 02:50:09 1.2
@@ -3,7 +3,7 @@
Release Notes
=============
-$Id: RELEASE-NOTES-4.0-B5.txt,v 1.1 2001/05/11 05:55:11 craigmcc Exp $
+$Id: RELEASE-NOTES-4.0-B5.txt,v 1.2 2001/05/15 02:50:09 craigmcc Exp $
============
@@ -22,6 +22,26 @@
Please report bugs and feature requests under product name "Tomcat 4".
+----> SECURITY ALERT: Two security-related problems were discovered in
+----> the Tomcat 4.0-b4 release which was announced on 05/11/2001. These
+----> vulnerabilities have been fixed in this beta release. Anyone who
+----> downloaded and installed Tomcat 4.0-b4 is urged to upgrade to this
+----> new release immediately.
+
+
+----> UPCOMING CHANGE NOTICE: In a future beta release of Tomcat 4.0, it
+----> is likely that the default operational mode will be to run Tomcat
+----> under a security manager (rather than the current default of not
+----> using one). This may necessitate editing the policy permissions
+----> file ($CATALINA_HOME/conf/catalina.policy) if your web applications
+----> require permissions that are not enabled by default (such as connecting
+----> to network ports). You are urged to test your applications with
+----> Tomcat 4.0-b5 running under the security manager now, so that this
+----> upcoming change will not be disruptive. To do so, start Tomcat 4.0
+----> with the command "$CATALINA_HOME/bin/catalina.sh start -security"
+----> (Unix) or "%CATALINA_HOME%\bin\catalina start -security" (Windows).
+
+
============
NEW FEATURES:
============
@@ -31,7 +51,15 @@
Catalina New Features:
---------------------
+Facades: The servlet API implementation objects that are passed to a servlet
+are now protected by facades. This avoids a security vulnerability (that
+existed only when Tomcat 4.0 was *not* run under a security manager) that
+allowed servlets to call arbitrary public methods on these classes via Java
+reflection. NOTE: While facades solve this particular problem, servlets can
+do many other negative things (like shutting down Tomcat by executing
+System.exit(0)) unless you run Tomcat under a security manager.
+
-------------------
Jasper New Features:
-------------------
@@ -50,6 +78,26 @@
------------------
Catalina Bug Fixes:
------------------
+
+JSP Source Exposure Vulnerability: Previous versions of Tomcat would expose
+the source code to a JSP page, on some JDK platforms, when a request URL like
+this was processed:
+ http://localhost:8080/examples/jsp/num/numguess.jsp%00
+The problem occurs because the null character (%00) causes extension mapping
+to fail, so this URL is passed to the default file-serving servlet. If the
+web application is running in an unpacked directory structure, the JDK's
+implementation of the File I/O methods is typically written in C, and the C
+runtimes will not have any problem treating the null character as a filename
+terminator. Now, Tomcat 4.0 will throw HTTP error 400 (bad request) if you
+use invalid characters (including %00) in your request URLs.
+
+StandardClassLoader: Correct resource existence checks when using a URL.
+This was causing automatic class reloading to fail in some cases.
+
+Bootstrap: Preload additional classes necessary to pass all unit test and
+Watchdog tests (and run many other test applications) when a security manager
+is enabled. Previously, problems could occur with
+ServletContext.getResourcePaths() and ServletResponse.setLocale().
----------------
1.26 +5 -5
jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/Globals.java
Index: Globals.java
===================================================================
RCS file:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/Globals.java,v
retrieving revision 1.25
retrieving revision 1.26
diff -u -r1.25 -r1.26
--- Globals.java 2001/05/11 05:55:13 1.25
+++ Globals.java 2001/05/15 02:50:10 1.26
@@ -1,7 +1,7 @@
/*
- * $Header:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/Globals.java,v
1.25 2001/05/11 05:55:13 craigmcc Exp $
- * $Revision: 1.25 $
- * $Date: 2001/05/11 05:55:13 $
+ * $Header:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/Globals.java,v
1.26 2001/05/15 02:50:10 craigmcc Exp $
+ * $Revision: 1.26 $
+ * $Date: 2001/05/15 02:50:10 $
*
* ====================================================================
*
@@ -69,7 +69,7 @@
* Global constants that are applicable to multiple packages within Catalina.
*
* @author Craig R. McClanahan
- * @version $Revision: 1.25 $ $Date: 2001/05/11 05:55:13 $
+ * @version $Revision: 1.26 $ $Date: 2001/05/15 02:50:10 $
*/
public final class Globals {
@@ -201,7 +201,7 @@
/**
* The descriptive information about this server and version.
*/
- public static final String SERVER_INFO = "Apache Tomcat/4.0-b5-dev";
+ public static final String SERVER_INFO = "Apache Tomcat/4.0-b5";
/**
1.18 +2 -2 jakarta-tomcat-4.0/webapps/ROOT/index.html
Index: index.html
===================================================================
RCS file: /home/cvs/jakarta-tomcat-4.0/webapps/ROOT/index.html,v
retrieving revision 1.17
retrieving revision 1.18
diff -u -r1.17 -r1.18
--- index.html 2001/05/11 05:55:16 1.17
+++ index.html 2001/05/15 02:50:11 1.18
@@ -4,13 +4,13 @@
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<meta name="GENERATOR" content="Mozilla/4.72 [en] (WinNT; U) [Netscape]">
<meta name="Author" content="Anil K. Vijendran">
-<title>Tomcat (v4.0-b5-dev)</title>
+<title>Tomcat (v4.0-b5)</title>
</head>
<body bgcolor="#FFFFFF">
<img SRC="tomcat.gif" height=92 width=130 align=LEFT><b><font face="Arial,
Helvetica, sans-serif"><font size=+3>Tomcat</font></font></b>
<br>
<b><font face="Arial, Helvetica, sans-serif"><font size=-1>Version
-4.0-b5-dev</font></font></b>
+4.0-b5</font></font></b>
<p>This is the default Tomcat home page. This page serves as a quick reference
guide to related resources and is located at:
<ul>