tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From George Sexton <gsex...@mhsoftware.com>
Subject Re: [VOTE] Release build 5.5.27
Date Thu, 04 Sep 2008 04:01:13 GMT


Rainer Jung wrote:
> George Sexton schrieb:
>> I will try a wild-card permission and see what happens.
> 
> Thank you. One caveat: I tried to end it the path with
> "${file.separator}-", but that doesn't work. When using the trailing "-"
> syntax, you really have to use a real file separator, not the variable :(
> 

Thanks for the tip. That probably would have driven me nuts.

I tried the wild card permission, and it does "solve" the problem. I had 
to give the permission to the top of my webapps directory. I did a quick 
audit of the code, and don't see anything that global read would be bad 
for.

If you modify catalina.policy to "solve" the problem, you're opening 
things up in the future for a security hole. Someone will add something 
to the jar that can do an arbitrary read and then bang, there's a major 
vulnerability staring at you.

 From a philosophical standpoint, having to create a policy log entry so 
the system doesn't throw an exception looking for a non-existent file is 
not desirable.



-- 
George Sexton
MH Software, Inc.
Voice: +1 303 438 9585
URL:   http://www.mhsoftware.com/

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message