tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rémy Maucherat <r...@apache.org>
Subject Re: [Fwd: [Security] - **Updated** Important vulnerability disclosed in Apache Tomcat webdav servlet]
Date Sun, 21 Oct 2007 12:47:39 GMT
On Sat, 2007-10-20 at 23:04 -0400, Mark Thomas wrote:
> The mitigations available are:
> - - Disable write access until a fixed version is released
> - - Limit write access to trusted users
> - - Apply the following patch which will be included in the next
> releases of 6.0.x, 5.5.x and 4.1.x

Since it's an obvious hacking attempt, I chose to use this method
instead:
            documentBuilder.setEntityResolver
                (new EntityResolver() {
                    public InputSource resolveEntity(String publicId,
String systemId) 
                        throws SAXException, IOException {
                        return new InputSource(new StringReader(""));
                    }
                });

-> no logging, replace with blank text (I was using an ISE right before
instead of an input source, but there's no real justification)

Rémy



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message