tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Remy Maucherat <r...@apache.org>
Subject Re: CoyoteRequest.recycle() and userPrincipal
Date Tue, 30 Sep 2003 17:28:15 GMT
Amy Roh wrote:
> Remy Maucherat wrote:
> 
>> Well, I think it is perfectly acceptable, sorry ;-)
>>
>> BTW, there's no CoyoteRequestFacade.recycle, that's in CoyoteRequest, 
>> and it is obviously a field which needs to be recycled.
> 
> I meant to say CoyoteRequest.  :-)
> 
>> "Fixing" this will create a major security issue. Please refrain from 
>> fixing things you do not seem to understand well, or please only do so 
>> in Sun's repositories.
> 
> I see that there will be security issues if we don't clean up the field 
> in the request.  No such fix will go into Sun's repositories if it's a 
> security issue.  I obviously posted the email to the list for additional 
>  comments to understand the code better.

Ok, sorry.

(I'm posting inaccurate stuff right now, anyway)

You see that stuff in StandardSession ?

     /**
      * Internal notes associated with this session by Catalina components
      * and event listeners.  <b>IMPLEMENTATION NOTE:</b> This object is
      * <em>not</em> saved and restored across session serializations!
      */
     private transient HashMap notes = new HashMap();


     /**
      * The authenticated Principal associated with this session, if any.
      * <b>IMPLEMENTATION NOTE:</b>  This object is <i>not</i> saved
and
      * restored across session serializations!
      */
     private transient Principal principal = null;


Well, I think you have to remove the transient. But I think it's there 
for a reason, so at this point I don't want this changed in TC, since I 
consider the issue is not worth it (you can try out a fix on your own of 
course :)).

Remy


Mime
View raw message