From bloritsch@infoplanning.com  Wed Jul 12 19:42:59 2000
Return-Path: <bloritsch@infoplanning.com>
Mailing-List: contact cocoon-dev-help@xml.apache.org; run by ezmlm
Delivered-To: mailing list cocoon-dev@xml.apache.org
Received: (qmail 32704 invoked from network); 12 Jul 2000 19:42:59 -0000
Received: from fw.infoplanning.net (HELO infoplanning.com) (@209.8.58.131)
  by locus.apache.org with SMTP; 12 Jul 2000 19:42:59 -0000
Received: (qmail 12861 invoked from network); 12 Jul 2000 18:44:20 -0000
Received: from minie (HELO infoplanning.com) (192.168.0.189)
  by inet with SMTP; 12 Jul 2000 18:44:20 -0000
Message-ID: <396CC8CA.8F3721F@infoplanning.com>
Date: Wed, 12 Jul 2000 15:36:42 -0400
From: Berin Loritsch <bloritsch@infoplanning.com>
X-Mailer: Mozilla 4.72 [en] (WinNT; U)
X-Accept-Language: en
MIME-Version: 1.0
To: Cocoon Dev List <cocoon-dev@xml.apache.org>
Subject: SECURITY ALERT!!!!!
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

When testing Cocoon 2 on my Linux box, and typed in the following URL:

http://goat.infoplanning.com//

Cocoon (being mapped to the root context) returned the root directory
of my system:

/bin
/etc
/home
/proc
/sbin
/usr
....

This is BAD.  I know I get the DirectoryGenerator when I end my URL
with a slash, but I should never get anything outside the servlet
context.

I tried that, because I wanted to see if I can get the listing of
my ROOT context in Tomcat