falvarez@geocom.com.uy wrote:
...
>
> Invoker: I know it is bad (even more than the overlord), probably don't know
> how bad or the impact it has in usage, but for now it works.
>
> I've read some about it, but never could really understand the problems it
> brings.
>
http://wiki.apache.org/tomcat/FAQ/Miscellaneous#Q3
Basically, unless you are very very careful, it allows anyone, through a carefully crafted
request URL, to invoke this nasty class in this nasty jar, which does a "rm -r /*" or a
"cat /etc/my/secret/file" or whatever else is really nasty.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
|