I know we are going a little off the original topic, but for me this is very interesting.
I think I understand your point: Any library in /webapp/lib/ that has access to executing linux commands (as you point) could be executed as well from any browser. If invoker is not enabled, unless this class is mapped there is no possible harm. Your example made clear the damage potential in using invoker. But: unless there are JARs with this capabilities in Tomcats distribution or standard packages (like xstream, axis, itext, ...) this is a very improbable situation, right? Because whoever writes this URL should precisely know the architecture of the application in order to use a non-standard library or servlet. -----Mensaje original----- De: André Warnier [mailto:a...@ice-sa.com] Enviado el: miércoles, 08 de junio de 2011 12:21 Para: Tomcat Users List Asunto: Re: Static resource mapping in web.xml falva...@geocom.com.uy wrote: ... > > Invoker: I know it is bad (even more than the overlord), probably don't know > how bad or the impact it has in usage, but for now it works. > > I've read some about it, but never could really understand the problems it > brings. > http://wiki.apache.org/tomcat/FAQ/Miscellaneous#Q3 Basically, unless you are very very careful, it allows anyone, through a carefully crafted request URL, to invoke this nasty class in this nasty jar, which does a "rm -r /*" or a "cat /etc/my/secret/file" or whatever else is really nasty. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org