DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=13365>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND
INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=13365
JSP source disclosure vulnerability not fixed when invoking servlets by name
super-creek@jcom.home.ne.jp changed:
What |Removed |Added
----------------------------------------------------------------------------
OS/Version|Windows NT/2K |All
Platform|PC |All
------- Additional Comments From super-creek@jcom.home.ne.jp 2002-10-07 16:41 -------
For examples, by applying the following patch, is this bug fixed ???
Index: jakarta-tomcat-4.0/catalina/src/conf/web.xml
===================================================================
RCS file: /home/cvspublic/jakarta-tomcat-4.0/catalina/src/conf/web.xml,v
retrieving revision 1.44
diff -u -w -r1.44 web.xml
--- jakarta-tomcat-4.0/catalina/src/conf/web.xml 21 Sep 2002 16:23:28 -
0000 1.44
+++ jakarta-tomcat-4.0/catalina/src/conf/web.xml 7 Oct 2002 16:21:49 -
0000
@@ -41,7 +41,7 @@
<!-- rejected? [true] -->
<servlet>
- <servlet-name>default</servlet-name>
+ <servlet-name>org.apache.catalina.servlets.DefaultServlet</servlet-
name>
<servlet-class>
org.apache.catalina.servlets.DefaultServlet
</servlet-class>
@@ -265,7 +265,7 @@
<!-- The mapping for the default servlet -->
<servlet-mapping>
- <servlet-name>default</servlet-name>
+ <servlet-name>org.apache.catalina.servlets.DefaultServlet</servlet-
name>
<url-pattern>/</url-pattern>
</servlet-mapping>
# I individually think that a fundamental means to solve this problem is
# to abolish or remove Invoker itself.
--
To unsubscribe, e-mail: <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>
|