tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Costin Manolache" <cos...@gmail.com>
Subject Re: [Fwd: [Security] - **Updated** Important vulnerability disclosed in Apache Tomcat webdav servlet]
Date Mon, 22 Oct 2007 17:35:31 GMT
What is apache doing ? Better be consistent, both sides (log or no log) have
value.

( log - good to know it's happening, no-log - don't want to fill the logs
with garbage if they do it from  lots of machines / drones )

Costin
What is

On 10/21/07, Rémy Maucherat <remm@apache.org> wrote:
>
> On Sat, 2007-10-20 at 23:04 -0400, Mark Thomas wrote:
> > The mitigations available are:
> > - - Disable write access until a fixed version is released
> > - - Limit write access to trusted users
> > - - Apply the following patch which will be included in the next
> > releases of 6.0.x, 5.5.x and 4.1.x
>
> Since it's an obvious hacking attempt, I chose to use this method
> instead:
>             documentBuilder.setEntityResolver
>                 (new EntityResolver() {
>                     public InputSource resolveEntity(String publicId,
> String systemId)
>                         throws SAXException, IOException {
>                         return new InputSource(new StringReader(""));
>                     }
>                 });
>
> -> no logging, replace with blank text (I was using an ISE right before
> instead of an input source, but there's no real justification)
>
> Rémy
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
>
Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message