tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Remy Maucherat" <>
Subject Re: [ANNOUNCEMENT] Tomcat 4.0.3 security hotfix release
Date Sat, 02 Mar 2002 05:48:26 GMT
> Remy Maucherat wrote:
> >
> > A security vulnerability affecting the sandboxing provided by the Java
> > Security Manager has been discovered. The request dipatcher
functionality of
> > the Servlet API could be used by a malicious servlet or JSP page to get
> > access to any resource located on the server's filesystem, bypassing the
> > Security Manager protection.
> >
> > Note: People who are not using Tomcat with the Security Manager are not
> > affected by this problem, and do not need to upgrade.
> >
> This statement is misleading.  I reviewed the bug report and patch.
> The security bug had nothing to do with the SecurityManager implementation
> itself.  It was due to the file path not being normalized before getting
> the RequestDispatcher for it.  Tomcat would be vulnerable to this
> of whether it was running with the SecurityManager or not.
> In fact if you were running Tomcat with the SecurityManager enabled and
> a strict catalina.policy which restricted file access with FilePermissions
> you would be less vulnerable than Tomcat running without the
> Sorry this is a a few hours too late for the announcement.
> Perhaps a followup announcement could be made to correct this.

I agree, but if you don't have the security manager, a malicious servlet
could already use direct filesystem access to read any file on the server,
which is a lot easier to use than this vulnerability. So the vulnerability
doesn't make it more insecure (but it's still a spec compliance bug).

OTOH, if you have the security manager, you're supposed to be protected,
regardless of whether or not there's a bug in the request dispatcher.


To unsubscribe, e-mail:   <>
For additional commands, e-mail: <>

View raw message