tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject Re: svn commit: r729825 - in /tomcat/tc6.0.x/trunk: STATUS.txt java/org/apache/coyote/http11/Http11Processor.java webapps/docs/changelog.xml
Date Tue, 30 Dec 2008 11:54:24 GMT
billbarker@apache.org wrote:
> @@ -235,6 +224,9 @@
>    http://svn.apache.org/viewvc?rev=721708&view=rev
>    http://svn.apache.org/viewvc?rev=721886&view=rev
>    +1: markt, fhanik
> +   0: billbarker: Haven't tried to break it yet, but the 4th patch potentially
> +      offers access to static fields in ELContextImpl and ELResolverImpl that could

> +      possibly be exploited by a malicious webapp.

Any thoughts on how to fix this? How about testing for a security manager and if
 one is present creating new instances of NullFunctionMapper and DefaultResolver
rather than re-using the static ones?

Mark


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message