Return-Path: 
 <tomcat-dev-return-25863-apmail-jakarta-tomcat-dev-archive=jakarta.apache.org@jakarta.apache.org>
Delivered-To: apmail-jakarta-tomcat-dev-archive@jakarta.apache.org
Received: (qmail 55088 invoked by uid 500); 10 Aug 2001 06:04:03 -0000
Mailing-List: contact tomcat-dev-help@jakarta.apache.org; run by ezmlm
Precedence: bulk
list-help: <mailto:tomcat-dev-help@jakarta.apache.org>
list-unsubscribe: <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
list-post: <mailto:tomcat-dev@jakarta.apache.org>
Reply-To: tomcat-dev@jakarta.apache.org
Delivered-To: mailing list tomcat-dev@jakarta.apache.org
Received: (qmail 55072 invoked from network); 10 Aug 2001 06:04:03 -0000
Message-ID: <000f01c12162$ac9a75c0$56a8fa18@C1529179A>
From: "Amy Roh" <amyroh@apache.org>
To: <tomcat-dev@jakarta.apache.org>
References: <Pine.BSF.4.21.0108092158170.17285-100000@localhost>
Subject: Re: Quick suggestion before the new beta tag
Date: Thu, 9 Aug 2001 23:07:02 -0700
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.00.2919.6700
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700
X-Spam-Rating: h31.sny.collab.net 1.6.2 0/1000/N

It is verified that Win2K is not subject to the security vulnerability.

Amy

----- Original Message -----
From: "Craig R. McClanahan" <craigmcc@apache.org>
To: <tomcat-dev@jakarta.apache.org>
Sent: Thursday, August 09, 2001 10:00 PM
Subject: Re: Quick suggestion before the new beta tag


>
>
> On Thu, 9 Aug 2001, Remy Maucherat wrote:
>
> > > Sounds *very* similar to mine (original Win98, Sun JDK 1.3.0_02
although I
> > > don't think that matters if it's not even executing the startup script
> > > correctly).
> > >
> > > I've got the usual config.sys entry to increase environment variable
> > > space:
> > >
> > >   shell=c:\command.com c:\ /e:4096 /p
> > >
> > > but Tomcat 4 is *much* less sensitive to this than 3.x was.
> > >
> > > Grumble grumble ... Win98 is also the reason for tonight's release in
the
> > > first place .. the stupid OS interprets "/....../" type paths as the
same
> > > as an equivalent number of "/../../.." entries (one level per extra
dot
> > > beyond the first two).
> >
> > Oh, ok.
> > It doesn't happen with NT/2k, right ?
> >
>
> I haven't tested it myself, but the original reporter said that he
> suspected it *would* fail on NT.
>
> You can try it for yourself on Win2K with the following URL:
>
>   http://localhost:8080/.../
>
> If you get a directory listing of the %CATALINA_HOME%\webapps directory,
> then you are subject to the same security vulnerability and should
> upgrade.  I'd like to know if it's OK under W2K, though, in order to say
> the right thing in the announcement email.
>
> > Remy
> >
> >
>
> Craig
>
>
>