tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Glenn Nielsen <gl...@voyager.apg.more.net>
Subject Re: [ANNOUNCEMENT] Tomcat 4.0.3 security hotfix release
Date Sat, 02 Mar 2002 05:08:27 GMT
Remy Maucherat wrote:
> 
> A security vulnerability affecting the sandboxing provided by the Java
> Security Manager has been discovered. The request dipatcher functionality of
> the Servlet API could be used by a malicious servlet or JSP page to get
> access to any resource located on the server's filesystem, bypassing the
> Security Manager protection.
> 
> Note: People who are not using Tomcat with the Security Manager are not
> affected by this problem, and do not need to upgrade.
>

This statement is misleading.  I reviewed the bug report and patch.
The security bug had nothing to do with the SecurityManager implementation
itself.  It was due to the file path not being normalized before getting
the RequestDispatcher for it.  Tomcat would be vulnerable to this regardless
of whether it was running with the SecurityManager or not.

In fact if you were running Tomcat with the SecurityManager enabled and
a strict catalina.policy which restricted file access with FilePermissions
you would be less vulnerable than Tomcat running without the SecurityManager.

Sorry this is a a few hours too late for the announcement.

Perhaps a followup announcement could be made to correct this.

Regards,

Glenn

----------------------------------------------------------------------
Glenn Nielsen             glenn@more.net | /* Spelin donut madder    |
MOREnet System Programming               |  * if iz ina coment.      |
Missouri Research and Education Network  |  */                       |
----------------------------------------------------------------------

--
To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>


Mime
View raw message