tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From GOMEZ Henri <hgo...@slib.fr>
Subject RE: cvs commit: jakarta-tomcat RELEASE-PLAN-3.3
Date Tue, 15 May 2001 13:12:56 GMT
getRemoteHost() is now fixed in CVS :)

Same that TC 3.2.2....

-
Henri Gomez                 ___[_]____
EMAIL : hgomez@slib.fr        (. .)                     
PGP KEY : 697ECEDD    ...oOOo..(_)..oOOo...
PGP Fingerprint : 9DF8 1EA8 ED53 2F39 DC9B 904A 364F 80E6 



>-----Original Message-----
>From: larryi@apache.org [mailto:larryi@apache.org]
>Sent: Tuesday, May 15, 2001 3:00 PM
>To: jakarta-tomcat-cvs@apache.org
>Subject: cvs commit: jakarta-tomcat RELEASE-PLAN-3.3
>
>
>larryi      01/05/15 05:59:53
>
>  Modified:    .        RELEASE-PLAN-3.3
>  Log:
>  Update to move getRequestURI problem to Beta 1.
>  
>  Indicate requirement in Milestone 3 to check security 
>problem of URL's with
>  escape sequences being able to reveal JSP source.
>  
>  Indicate requirement in Beta 1 to address problem of 
>getResource() allowing
>  access to files outside the web application with paths 
>containing the right
>  escape sequences.
>  
>  Revision  Changes    Path
>  1.11      +8 -5      jakarta-tomcat/RELEASE-PLAN-3.3
>  
>  Index: RELEASE-PLAN-3.3
>  ===================================================================
>  RCS file: /home/cvs/jakarta-tomcat/RELEASE-PLAN-3.3,v
>  retrieving revision 1.10
>  retrieving revision 1.11
>  diff -u -r1.10 -r1.11
>  --- RELEASE-PLAN-3.3	2001/05/15 09:47:52	1.10
>  +++ RELEASE-PLAN-3.3	2001/05/15 12:59:49	1.11
>  @@ -75,7 +75,7 @@
>   
>        Known issues in order of priority
>   
>  -     1. getRequestURI() should return an encoded string (if 
>feasible)
>  +     1. Verify that JSP source is not served when escaping 
>tricks are used
>        2. Update build process to create archives and 
>internal directory
>           structure consistent with other Jakarta projects, i.e. use
>           jakarta-tomcat-3.3-xxx.
>  @@ -105,13 +105,16 @@
>              object in the session.  The spec calls for the reverse.
>           B. setAttribute() doesn't call valueUnbound() for the
>              object it replaces, if present.
>  -     3. Session recyling includes keeping the 
>HttpSessionFacade.  I believe
>  +     3. Fix getResource() to not allow access to files 
>outside of the web
>  +        application.
>  +     4. Session recyling includes keeping the 
>HttpSessionFacade.  I believe
>           this represents a security risk.   May need to 
>discard session
>           facades, or at least discard them for untrusted web 
>applications.
>  -     4. Update getRemoteHost() to be consistent with Tomcat 
>3.2.2, which
>  +     5. getRequestURI() should return an encoded string
>  +     6. Update getRemoteHost() to be consistent with Tomcat 
>3.2.2, which
>           does a reverse DNS lookup.
>  -     5. Verify no reqressions.
>  -     6. TBD...
>  +     7. Verify no reqressions.
>  +     8. TBD...
>   
>   
>   Tomcat 3.3 Beta 2:
>  
>  
>  
>

Mime
View raw message