See below: > -----Ursprüngliche Nachricht----- > Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > Gesendet: Freitag, 12. Juli 2002 14:18 > An: [EMAIL PROTECTED] > Betreff: Few questions with XSS vulnerability > > > Since I can't upgrade to the latest beta (trying to stick > with RPM's), the suggested workaround is to unmap /servlet/ in > tomcat's web.xml. By unmapping that, what changes would I likely > need to make in the tomcat or webapps web.xml to avoid 404 errors
As I understand it, it's enough to disable the generic invoker servlet. (That mean that you have to define all your servlets explicitly if that's not already the case) > Would I need to do this for each .jsp in that webapp? No, you don't need the invoker servlet to run jsp's. (The jsp servlet is defined explicitly per default) > Beyond that, am I also likely to need to add an entry > WEB-INF/web.xml for each .jar in its WEB-INF/lib? What > would these entries be if any? When tomcat starts it includes automatically all jar files in the lib directories into the classpath. -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>