> Anyone working on this (or should I start)? That's already been done (and integrated in 4.0.1).
> [EMAIL PROTECTED] wrote: > > > On Sat, 13 Oct 2001, Pier Fumagalli wrote: > > > > > >>On Friday, October 12, 2001, at 07:57 pm, <[EMAIL PROTECTED]> wrote: > >> > >>>BTW, the CGI problem doesn't seem to be resolved, it should be > >>>mentioned > >>>in the release notes ( for people who use sandbox - including a > >>>workaround > >>>maybe ) > >>> > >>What was the CGI problem? I don't see it in BugZilla, I might have > >>lost it in the void of my vacation? > >> > > > > It was discussed some time ago on tomcat-dev - if you run tomcat > > in sandbox mode ( and assume that you can deploy webapps in > > a secure way, like applets in a browser ) you'll have a bad surprise - > > the webapps will be indeed restricted to what the policy file says, with > > one exception - that they'll be able to execute arbitrary programs ( by > > declaring the cgi/ssi servlet, adding a mapping and an exe in > > the WEB-INF ). > > > > ( BTW, I hope the fix will be ported to various apps that include tomcat > > as well, especially those using sandbox - most j2ee impl. do that... ) Remy -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
