tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 13365] - JSP source disclosure vulnerability not fixed when invoking servlets by name
Date Mon, 07 Oct 2002 16:41:46 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=13365>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=13365

JSP source disclosure vulnerability not fixed when invoking servlets by name

super-creek@jcom.home.ne.jp changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         OS/Version|Windows NT/2K               |All
           Platform|PC                          |All



------- Additional Comments From super-creek@jcom.home.ne.jp  2002-10-07 16:41 -------
For examples, by applying the following patch, is this bug fixed ???

Index: jakarta-tomcat-4.0/catalina/src/conf/web.xml
===================================================================
RCS file: /home/cvspublic/jakarta-tomcat-4.0/catalina/src/conf/web.xml,v
retrieving revision 1.44
diff -u -w -r1.44 web.xml
--- jakarta-tomcat-4.0/catalina/src/conf/web.xml	21 Sep 2002 16:23:28 -
0000	1.44
+++ jakarta-tomcat-4.0/catalina/src/conf/web.xml	7 Oct 2002 16:21:49 -
0000
@@ -41,7 +41,7 @@
   <!--                       rejected?  [true]                              -->
 
     <servlet>
-        <servlet-name>default</servlet-name>
+        <servlet-name>org.apache.catalina.servlets.DefaultServlet</servlet-
name>
         <servlet-class>
           org.apache.catalina.servlets.DefaultServlet
         </servlet-class>
@@ -265,7 +265,7 @@
 
     <!-- The mapping for the default servlet -->
     <servlet-mapping>
-        <servlet-name>default</servlet-name>
+        <servlet-name>org.apache.catalina.servlets.DefaultServlet</servlet-
name>
         <url-pattern>/</url-pattern>
     </servlet-mapping>
 

# I individually think that a fundamental means to solve this problem is
# to abolish or remove Invoker itself.

--
To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>


Mime
View raw message