tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jean-Francois Arcand <jfarc...@apache.org>
Subject Re: cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/session PersistentManagerBase.java StandardManager.java StandardSession.java
Date Fri, 19 Nov 2004 21:18:45 GMT


Remy Maucherat wrote:
> Jean-Francois Arcand wrote:
> 
>> It's not useless. Normal permissions are still turned on. It's only 
>> the package protection that is disabled. When disabled, Tomcat 5 is as 
>> unsecure as Tomcat 4 in term of sniffing/loading classes, but still 
>> secure in term of browsing the file system etc.
> 
> 
> Possibly. But I don't know what you can do with access to the Tomcat 
> internals, and hacking the container is a bad security problem IMO. I 
> don't see how you could want half assed security. Oh wait, there's 
> Window$, so I guess there are takers ;)

LOL

> 
> BTW, Tomcat 4 did package protection.

Yes. I was meaning the improvement we did 2 years ago that ends up 
adding all thoses doPrivileged blocks as well as the catalina.properties 
list.

-- Jeanfrancois


> 
> Rémy
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
> 
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org


Mime
View raw message