Return-Path: Mailing-List: contact cocoon-dev-help@xml.apache.org; run by ezmlm Delivered-To: mailing list cocoon-dev@xml.apache.org Received: (qmail 94551 invoked from network); 13 Jul 2000 12:04:42 -0000 Received: from fw.infoplanning.net (HELO infoplanning.com) (@209.8.58.131) by locus.apache.org with SMTP; 13 Jul 2000 12:04:42 -0000 Received: (qmail 4929 invoked from network); 13 Jul 2000 11:04:51 -0000 Received: from minie (HELO infoplanning.com) (192.168.0.189) by inet with SMTP; 13 Jul 2000 11:04:51 -0000 Message-ID: <396DAEDB.5F0A343C@infoplanning.com> Date: Thu, 13 Jul 2000 07:58:19 -0400 From: Berin Loritsch X-Mailer: Mozilla 4.72 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: cocoon-dev@xml.apache.org Subject: Re: SECURITY ALERT!!!!! References: <396CC8CA.8F3721F@infoplanning.com> <396CEE95.1B9F816F@apache.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Stefano Mazzocchi wrote: > > Berin Loritsch wrote: > > > > When testing Cocoon 2 on my Linux box, and typed in the following URL: > > > > http://goat.infoplanning.com// > > > > Cocoon (being mapped to the root context) returned the root directory > > of my system: > > > > /bin > > /etc > > /home > > /proc > > /sbin > > /usr > > .... > > > > This is BAD. I know I get the DirectoryGenerator when I end my URL > > with a slash, but I should never get anything outside the servlet > > context. > > > > I tried that, because I wanted to see if I can get the listing of > > my ROOT context in Tomcat > > This appears as a Tomcat bug, not Cocoon's. Isn't it so? Nope. It also happens with LWS-2.2.1 (by Gefion Software: www.gefionsoftware.com) There is another unrelated bug with Cocoon2 that I will take care of shortly. It has to do with how we get the path URL that makes Cocoon dependant on Tomcat.... But that's another issue.