On Wed, 9 Oct 2002, Henri Gomez wrote:
> Date: Wed, 09 Oct 2002 18:13:10 +0200
> From: Henri Gomez <[EMAIL PROTECTED]>
> Reply-To: Tomcat Developers List <[EMAIL PROTECTED]>
> To: Tomcat Developers List <[EMAIL PROTECTED]>
> Subject: Re: apps conversion from 3.3.1 to 4.1.12
>
>
> > Haven't looked at the code, but here's a couple of thoughts that might
> > help:
> >
> > If your path above ("../../../settings.xml") is attempting to go above
> > the context root of the webapp, it's pretty much guaranteed to fail
> > because of the security restrictions. Undoing that restriction would just
> > create a bunch of CERT reports about Tomcat letting you browse the entire
> > directory structure of your disk.
>
> I agree but the ../../../settings.xml was set in web.xml, under
> administrator control, and tomcat can't even overwrite it.
>
> We've got another problem here since Tomcat 3.3.x allow this and but
> Tomcat 4.1.x prevent it. Should we fix Tomcat 3.3.2 ?
>
> > One of the important enablers for using external entity files in Digester
> > is to use the Digester.parse() that takes an InputSource (rather than an
> > InputStream), and be sure you have configured your InputSource to include
> > the source URL. That is necessary for the XML parser to be able to
> > resolve relative system ids. The code in ContextConfig that parses
> > web.xml and TLD files was modified (a while back) to do this kind of
> > thing, if you need an example.
>
> Didn't have access on it since the external entity is set in web.xml so
> under org.apache.catalina.startup.ContextConfig.applicationConfig
> control, not application control.
>
If this reference is in your web.xml file, then my suggestion is already
being done. To test it, try temporarily copying the settings.xml file
into the WEB-INF directory and changing the relative URL appropriately.
I'd be -1 on removing the security check in 4.x/5.x. Fixing 3.3.2 sounds
like a good idea.
Craig
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>