tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bob Herrmann <...@jadn.com>
Subject security
Date Wed, 16 Oct 2002 21:06:54 GMT

Looking into the Tomcat jars, I noticed the package "org.apache.jk"
isn't blocked... so even with the Security Manager running, I think I am
able to get catalina to load "arbitrary classes" like this,

<%
   org.apache.jk.apr.TomcatStarter.mainClasses = new String[]{
"someClass" };

   org.apache.jk.apr.TomcatStarter.main(new String[0]);
%>

So, My question is, should we "block" access to package "org.apache.jk"
from webapps?

Cheers,
-bob





--
To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>


Mime
View raw message