getRemoteHost() is now fixed in CVS :)
Same that TC 3.2.2....
-
Henri Gomez ___[_]____
EMAIL : [EMAIL PROTECTED] (. .)
PGP KEY : 697ECEDD ...oOOo..(_)..oOOo...
PGP Fingerprint : 9DF8 1EA8 ED53 2F39 DC9B 904A 364F 80E6
>-----Original Message-----
>From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
>Sent: Tuesday, May 15, 2001 3:00 PM
>To: [EMAIL PROTECTED]
>Subject: cvs commit: jakarta-tomcat RELEASE-PLAN-3.3
>
>
>larryi 01/05/15 05:59:53
>
> Modified: . RELEASE-PLAN-3.3
> Log:
> Update to move getRequestURI problem to Beta 1.
>
> Indicate requirement in Milestone 3 to check security
>problem of URL's with
> escape sequences being able to reveal JSP source.
>
> Indicate requirement in Beta 1 to address problem of
>getResource() allowing
> access to files outside the web application with paths
>containing the right
> escape sequences.
>
> Revision Changes Path
> 1.11 +8 -5 jakarta-tomcat/RELEASE-PLAN-3.3
>
> Index: RELEASE-PLAN-3.3
> ===================================================================
> RCS file: /home/cvs/jakarta-tomcat/RELEASE-PLAN-3.3,v
> retrieving revision 1.10
> retrieving revision 1.11
> diff -u -r1.10 -r1.11
> --- RELEASE-PLAN-3.3 2001/05/15 09:47:52 1.10
> +++ RELEASE-PLAN-3.3 2001/05/15 12:59:49 1.11
> @@ -75,7 +75,7 @@
>
> Known issues in order of priority
>
> - 1. getRequestURI() should return an encoded string (if
>feasible)
> + 1. Verify that JSP source is not served when escaping
>tricks are used
> 2. Update build process to create archives and
>internal directory
> structure consistent with other Jakarta projects, i.e. use
> jakarta-tomcat-3.3-xxx.
> @@ -105,13 +105,16 @@
> object in the session. The spec calls for the reverse.
> B. setAttribute() doesn't call valueUnbound() for the
> object it replaces, if present.
> - 3. Session recyling includes keeping the
>HttpSessionFacade. I believe
> + 3. Fix getResource() to not allow access to files
>outside of the web
> + application.
> + 4. Session recyling includes keeping the
>HttpSessionFacade. I believe
> this represents a security risk. May need to
>discard session
> facades, or at least discard them for untrusted web
>applications.
> - 4. Update getRemoteHost() to be consistent with Tomcat
>3.2.2, which
> + 5. getRequestURI() should return an encoded string
> + 6. Update getRemoteHost() to be consistent with Tomcat
>3.2.2, which
> does a reverse DNS lookup.
> - 5. Verify no reqressions.
> - 6. TBD...
> + 7. Verify no reqressions.
> + 8. TBD...
>
>
> Tomcat 3.3 Beta 2:
>
>
>
>