remm 01/10/12 12:29:41
Modified: catalina/src/conf Tag: tomcat_40_branch web.xml
Log:
- Add tougher restrictions on the use of the CGI servlet by default, since the current
installation seems to me exploit prone (although no actual exploit does exist at
the moment).
- The default web.xml won't attempt to load the CGI servlet anymore (under a
security manager, we would have needed to edit the configuration file to make
it secure).
- The CGI servlet classes won't be available for loading by a web application.
The JAR containing the classes will have to be renamed first.
Revision Changes Path
No revision
No revision
1.22.2.4 +6 -2 jakarta-tomcat-4.0/catalina/src/conf/web.xml
Index: web.xml
===================================================================
RCS file: /home/cvs/jakarta-tomcat-4.0/catalina/src/conf/web.xml,v
retrieving revision 1.22.2.3
retrieving revision 1.22.2.4
diff -u -r1.22.2.3 -r1.22.2.4
--- web.xml 2001/10/11 04:10:23 1.22.2.3
+++ web.xml 2001/10/12 19:29:41 1.22.2.4
@@ -202,6 +202,11 @@
<!-- debug Debugging detail level for messages logged -->
<!-- by this servlet. [0] -->
+ <!-- IMPORTANT: To use the CGI servlet, you also need to rename the -->
+ <!-- $CATALINA_HOME/server/lib/servlets-cgi.renametojar to -->
+ <!-- $CATALINA_HOME/server/lib/servlets-cgi.jar -->
+
+<!--
<servlet>
<servlet-name>cgi</servlet-name>
<servlet-class>org.apache.catalina.servlets.CGIServlet</servlet-class>
@@ -217,10 +222,9 @@
<param-name>cgiPathPrefix</param-name>
<param-value>WEB-INF/cgi</param-value>
</init-param>
-<!--
<load-on-startup>5</load-on-startup>
--->
</servlet>
+-->
<!-- ================ Built In Servlet Mappings ========================= -->
|