tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bill Barker" <wbar...@wilshire.com>
Subject Re: svn commit: r543366 - in /tomcat/connectors/trunk/jk/xdocs: reference/apache.xml webserver_howto/apache.xml
Date Fri, 01 Jun 2007 02:45:51 GMT

<markt@apache.org> wrote in message 
news:20070601023541.022721A981A@eris.apache.org...
> Author: markt
> Date: Thu May 31 19:35:40 2007
> New Revision: 543366
>
> URL: http://svn.apache.org/viewvc?view=rev&rev=543366
> Log:
> Add a warning to the httpd docs. There have been a couple of security 
> reports, bugs and questions to the users list about this recently.
>
> Modified:
>    tomcat/connectors/trunk/jk/xdocs/reference/apache.xml
>    tomcat/connectors/trunk/jk/xdocs/webserver_howto/apache.xml
>
> Modified: tomcat/connectors/trunk/jk/xdocs/reference/apache.xml
> URL: 
> http://svn.apache.org/viewvc/tomcat/connectors/trunk/jk/xdocs/reference/apache.xml?view=diff&rev=543366&r1=543365&r2=543366
> ==============================================================================
> --- tomcat/connectors/trunk/jk/xdocs/reference/apache.xml (original)
> +++ tomcat/connectors/trunk/jk/xdocs/reference/apache.xml Thu May 31 
> 19:35:40 2007
> @@ -13,7 +13,8 @@
>
> <body>
>
> -<section name="Configuration Directives"> <p>
> +<section name="Configuration Directives">
> +<p>
> Most of the directives are allowed once in the global part of the Apache 
> httpd
> configuration and once in every &lt;VirtualHost&gt; elements. Exceptions 
> from this rule are
> explicitely listed in the table below.
> @@ -24,6 +25,10 @@
> Exceptions from this rule are
> again explicitely listed in the table below.
> </p>
> +<p><b>The Apache httpd DocumentRoot should not overlap with a Tomcat 
> Host's
> +appBase or the docBase of any Context. Configuring httpd/Tomcat this way 
> is very
> +likely to result in JSP source code disclosure and/or other security 
> issues.
> +</b></p>

IMHO, this is misleading.  It requires a lot more httpd configuration to 
make this secure, but it isn't in and of itself insecure.

And, if you are going to go this route, you should also warn about:
   Alias /myapp /var/tomcat/webapps/myapp


> <p>
> Here are the all directives supported by Apache:
> </p>
>
> Modified: tomcat/connectors/trunk/jk/xdocs/webserver_howto/apache.xml
> URL: 
> http://svn.apache.org/viewvc/tomcat/connectors/trunk/jk/xdocs/webserver_howto/apache.xml?view=diff&rev=543366&r1=543365&r2=543366
> ==============================================================================
> --- tomcat/connectors/trunk/jk/xdocs/webserver_howto/apache.xml (original)
> +++ tomcat/connectors/trunk/jk/xdocs/webserver_howto/apache.xml Thu May 31 
> 19:35:40 2007
> @@ -44,6 +44,11 @@
> and <a href="../reference/apache.html">Apache</a>.
> </p>
>
> +<p><b>The Apache httpd DocumentRoot should not overlap with a Tomcat 
> Host's
> +appBase or the docBase of any Context. Configuring httpd/Tomcat this way 
> is very
> +likely to result in JSP source code disclosure and/or other security 
> issues.
> +</b></p>
> +
> <p>
> This document was originally part of <b>Tomcat: A Minimalistic User's 
> Guide</b> written by Gal Shachor,
> but has been split off for organizational reasons. 




---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message