tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William L. Thomson Jr." <wl...@gentoo.org>
Subject Re: [Fwd: [Security] - **Updated** Important vulnerability disclosed in Apache Tomcat webdav servlet]
Date Sun, 21 Oct 2007 16:27:46 GMT
On Sun, 2007-10-21 at 09:09 -0400, Mark Thomas wrote:
> Rémy Maucherat wrote:
> > Since it's an obvious hacking attempt, I chose to use this method
> > instead:
> >             documentBuilder.setEntityResolver
> >                 (new EntityResolver() {
> >                     public InputSource resolveEntity(String publicId,
> > String systemId) 
> >                         throws SAXException, IOException {
> >                         return new InputSource(new StringReader(""));
> >                     }
> >                 });
> > 
> > -> no logging, replace with blank text (I was using an ISE right before
> > instead of an input source, but there's no real justification)
> 
> I don't think no logging for an obvious hacking attempt is a good idea.
> 
> I also think that there is a slim chance of a legitimate use of an
> entity and in this case the logging gives the administrator a chance
> of working out why something isn't working.

I take it down streams should run with the first patches to work around
this vulnerability till next release. I already applied the one liner,
kinda glad I did not apply the other last night ;) Please advise,
thanks.

-- 
William L. Thomson Jr.
Gentoo/Java

Mime
View raw message