> Haven't looked at the code, but here's a couple of thoughts that might
> help:
>
> If your path above ("../../../settings.xml") is attempting to go above
> the context root of the webapp, it's pretty much guaranteed to fail
> because of the security restrictions. Undoing that restriction would just
> create a bunch of CERT reports about Tomcat letting you browse the entire
> directory structure of your disk.
I agree but the ../../../settings.xml was set in web.xml, under
administrator control, and tomcat can't even overwrite it.
We've got another problem here since Tomcat 3.3.x allow this and but
Tomcat 4.1.x prevent it. Should we fix Tomcat 3.3.2 ?
> One of the important enablers for using external entity files in Digester
> is to use the Digester.parse() that takes an InputSource (rather than an
> InputStream), and be sure you have configured your InputSource to include
> the source URL. That is necessary for the XML parser to be able to
> resolve relative system ids. The code in ContextConfig that parses
> web.xml and TLD files was modified (a while back) to do this kind of
> thing, if you need an example.
Didn't have access on it since the external entity is set in web.xml so
under org.apache.catalina.startup.ContextConfig.applicationConfig
control, not application control.
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
