tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jean-Francois Arcand <jeanfrancois.arc...@sun.com>
Subject Re: cvs commit: jakarta-tomcat-4.0/catalina/src/conf catalina.policy
Date Tue, 01 Oct 2002 15:18:56 GMT
Hi Glenn,

your last addition seems, IMO, to open a security isssue with classes 
located under the o.a.c.util directory. Actually, maybe not for Tomcat 
4.1, but for 5.0, I have created a class called SecurityAudit.java that 
contains some security check. If we port your latest changes, this class 
will be exposed to malicious uses. Also, Is there a reason why we are 
giving the "

defineClassInPackage"?


I think two solutions are available (1) move sensitive classes to 
another package (2) create a "public" package where we want to give 
access to some internal class.

What is your recommendation?

Thanks,

-- Jeanfrancois



glenn@apache.org wrote:

>glenn       2002/09/30 12:59:47
>
>  Modified:    catalina/src/conf catalina.policy
>  Log:
>  Allow defineClassInPackage for util due to Request Parametermap needs
>  
>  Revision  Changes    Path
>  1.28      +3 -1      jakarta-tomcat-4.0/catalina/src/conf/catalina.policy
>  
>  Index: catalina.policy
>  ===================================================================
>  RCS file: /home/cvs/jakarta-tomcat-4.0/catalina/src/conf/catalina.policy,v
>  retrieving revision 1.27
>  retrieving revision 1.28
>  diff -u -r1.27 -r1.28
>  --- catalina.policy	8 Sep 2002 18:04:02 -0000	1.27
>  +++ catalina.policy	30 Sep 2002 19:59:47 -0000	1.28
>  @@ -121,6 +121,8 @@
>     // Required for sevlets and JSP's
>     permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.util";
 
>     permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.util.*";
>  +  permission java.lang.RuntimePermission "defineClassInPackage.org.apache.catalina.util";
>  +  permission java.lang.RuntimePermission "defineClassInPackage.org.apache.catalina.util.*";
>   
>     // Required for running servlets generated by JSPC
>     permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime";
>  
>  
>  
>
>--
>To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
>For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>
>
>
>  
>


--
To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>


Mime
View raw message