On Thu, 10 Oct 2002, Henri Gomez wrote:
Date: Thu, 10 Oct 2002 08:10:03 +0200
From: Henri Gomez [EMAIL PROTECTED]
Reply-To: Tomcat Developers List [EMAIL PROTECTED]
To: Tomcat Developers List [EMAIL PROTECTED]
Subject: Re: apps conversion from 3.3.1 to 4.1.12
If this reference
Craig R. McClanahan wrote:
Keep in mind that if it works here, it will also would work
on something like:
InputStream stream =
getServletContext().getResourceAsStream(../../../etc/passwd);
with some suitable number of .. depending on where you've got
Tomcat installed.
From: news [mailto:[EMAIL PROTECTED]]On Behalf Of Costin Manolache
Sent: Thursday, October 10, 2002 10:26 PM
against access to resources is to use a sandbox. If you don't -
ok, i understand, thanks..
Saludos,
Ignacio J. Ortega
--
To unsubscribe, e-mail: mailto:[EMAIL PROTECTED]
For
Henri Gomez wrote:
Hi to all,
While converting some applications from 3.3.1 to 4.1.12 I noticed
some little problems.
1) We used to define our own default servlet, but 4.1.x
definie its own default in conf/web.xml.
Could we change from org.apache.catalina.servlets.DefaultServlet
Remy Maucherat wrote:
Henri Gomez wrote:
Hi to all,
While converting some applications from 3.3.1 to 4.1.12 I noticed
some little problems.
1) We used to define our own default servlet, but 4.1.x
definie its own default in conf/web.xml.
Could we change from
- Original Message -
From: Henri Gomez [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, October 08, 2002 11:33 PM
Subject: apps conversion from 3.3.1 to 4.1.12
Hi to all,
While converting some applications from 3.3.1 to 4.1.12 I noticed
some little problems.
Wot? 3.3.1 isn't
This is likely the protection against reading anything outside the
webapp root (see the allowLinking of FileDirContext), although I don't
know how the digester will try to load the included file.
Digester code is derived from XmlMapper which is able to locate entities
in ../../../
Remy Maucherat wrote:
Henri Gomez wrote:
This is likely the protection against reading anything outside the
webapp root (see the allowLinking of FileDirContext), although I
don't know how the digester will try to load the included file.
Digester code is derived from XmlMapper which is
On Wed, 9 Oct 2002, Henri Gomez wrote:
Date: Wed, 09 Oct 2002 17:39:00 +0200
From: Henri Gomez [EMAIL PROTECTED]
Reply-To: Tomcat Developers List [EMAIL PROTECTED]
To: Tomcat Developers List [EMAIL PROTECTED]
Subject: Re: apps conversion from 3.3.1 to 4.1.12
Remy Maucherat wrote
Henri Gomez wrote:
Remy Maucherat wrote:
Henri Gomez wrote:
This is likely the protection against reading anything outside the
webapp root (see the allowLinking of FileDirContext), although I
don't know how the digester will try to load the included file.
Digester code is derived
org.apache.naming.resources.DirContextURLConnection.getInputStream(DirContextURLConnection.java:344)
at java.net.URL.openStream(URL.java:793)
Well, that's exactly the same. Where do you think that weird URL
connection goes ?? (hint: to the aforementioned FileDirContext, through
Haven't looked at the code, but here's a couple of thoughts that might
help:
If your path above (../../../settings.xml) is attempting to go above
the context root of the webapp, it's pretty much guaranteed to fail
because of the security restrictions. Undoing that restriction would just
On Wed, 9 Oct 2002, Henri Gomez wrote:
Date: Wed, 09 Oct 2002 18:13:10 +0200
From: Henri Gomez [EMAIL PROTECTED]
Reply-To: Tomcat Developers List [EMAIL PROTECTED]
To: Tomcat Developers List [EMAIL PROTECTED]
Subject: Re: apps conversion from 3.3.1 to 4.1.12
Haven't looked at the code
If this reference is in your web.xml file, then my suggestion is already
being done. To test it, try temporarily copying the settings.xml file
into the WEB-INF directory and changing the relative URL appropriately.
Putting the file in WEB-INF works, even if I use ../settings, ie
directly in
14 matches
Mail list logo
