tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From <falva...@geocom.com.uy>
Subject RE: Static resource mapping in web.xml
Date Wed, 08 Jun 2011 15:44:21 GMT
I know we are going a little off the original topic, but for me this is very
interesting.

I think I understand your point:

	Any library in /webapp/lib/ that has access to executing linux
commands (as you point) could be executed as well from any browser.

	If invoker is not enabled, unless this class is mapped there is no
possible harm.

Your example made clear the damage potential in using invoker.

But: unless there are JARs with this capabilities in Tomcats distribution or
standard packages (like xstream, axis, itext, ...) this is a very improbable
situation, right? Because whoever writes this URL should precisely know the
architecture of the application in order to use a non-standard library or
servlet.

-----Mensaje original-----
De: André Warnier [mailto:aw@ice-sa.com] 
Enviado el: miércoles, 08 de junio de 2011 12:21
Para: Tomcat Users List
Asunto: Re: Static resource mapping in web.xml

falvarez@geocom.com.uy wrote:
...

> 
> Invoker: I know it is bad (even more than the overlord), probably don't
know
> how bad or the impact it has in usage, but for now it works.
> 
> I've read some about it, but never could really understand the problems it
> brings.
> 
http://wiki.apache.org/tomcat/FAQ/Miscellaneous#Q3

Basically, unless you are very very careful, it allows anyone, through a
carefully crafted 
request URL, to invoke this nasty class in this nasty jar, which does a "rm
-r /*" or a 
"cat /etc/my/secret/file" or whatever else is really nasty.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message