tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject Re: [Fwd: [Security] - **Updated** Important vulnerability disclosed in Apache Tomcat webdav servlet]
Date Sun, 21 Oct 2007 13:09:30 GMT
Rémy Maucherat wrote:
> Since it's an obvious hacking attempt, I chose to use this method
> instead:
>             documentBuilder.setEntityResolver
>                 (new EntityResolver() {
>                     public InputSource resolveEntity(String publicId,
> String systemId) 
>                         throws SAXException, IOException {
>                         return new InputSource(new StringReader(""));
>                     }
>                 });
> 
> -> no logging, replace with blank text (I was using an ISE right before
> instead of an input source, but there's no real justification)

I don't think no logging for an obvious hacking attempt is a good idea.

I also think that there is a slim chance of a legitimate use of an
entity and in this case the logging gives the administrator a chance
of working out why something isn't working.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message