markt 2005/02/21 14:54:23 Modified: webapps/tomcat-docs/config context.xml http11.xml Log: Add warning to docs regarding use of deprecated connector and allowLinking=true Revision Changes Path 1.15 +5 -0 jakarta-tomcat-4.0/webapps/tomcat-docs/config/context.xml Index: context.xml =================================================================== RCS file: /home/cvs/jakarta-tomcat-4.0/webapps/tomcat-docs/config/context.xml,v retrieving revision 1.14 retrieving revision 1.15 diff -u -r1.14 -r1.15 --- context.xml 19 Nov 2004 20:52:02 -0000 1.14 +++ context.xml 21 Feb 2005 22:54:23 -0000 1.15 @@ -178,6 +178,11 @@ (or any other OS which does not have a case sensitive filesystem), as it will disable case sensitivity checks, allowing JSP source code disclosure, among other security problems.</b></p> + <p><b>NOTE: This flag MUST NOT be set to true when using the deprecated + <a href="http11.html">HTTP 1.1</a> connector as it will disable checks + that protect against mal-formed requests resulting in JSP source code + disclosure.</b></p> + </attribute> <attribute name="cacheTTL" required="false"> 1.7 +6 -0 jakarta-tomcat-4.0/webapps/tomcat-docs/config/http11.xml Index: http11.xml =================================================================== RCS file: /home/cvs/jakarta-tomcat-4.0/webapps/tomcat-docs/config/http11.xml,v retrieving revision 1.6 retrieving revision 1.7 diff -u -r1.6 -r1.7 --- http11.xml 12 Jan 2003 17:26:48 -0000 1.6 +++ http11.xml 21 Feb 2005 22:54:23 -0000 1.7 @@ -19,6 +19,12 @@ <p><b>IMPORTANT NOTE: The HTTP/1.1 connector is now deprecated. Use the Coyote HTTP/1.1 connector instead.</b></p> + <p><b>IMPORTANT NOTE: This connector MUST NOT be used in conjunction + with any <a href="context.html">Context</a> element that has the + <code>allowLinking</code> attribute set to <code>true</code>. In this + configuration it is possible for a mal-formed request to result in source + code exposure of JSPs.</b></p> + <p>The <strong>HTTP/1.1 Connector</strong> element represents a <strong>Connector</strong> component that supports the HTTP/1.1 protocol. It enables Catalina to function as a stand-alone web server, in addition
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]