larryi 01/05/15 05:59:53
Modified: . RELEASE-PLAN-3.3
Log:
Update to move getRequestURI problem to Beta 1.
Indicate requirement in Milestone 3 to check security problem of URL's with
escape sequences being able to reveal JSP source.
Indicate requirement in Beta 1 to address problem of getResource() allowing
access to files outside the web application with paths containing the right
escape sequences.
Revision Changes Path
1.11 +8 -5 jakarta-tomcat/RELEASE-PLAN-3.3
Index: RELEASE-PLAN-3.3
===================================================================
RCS file: /home/cvs/jakarta-tomcat/RELEASE-PLAN-3.3,v
retrieving revision 1.10
retrieving revision 1.11
diff -u -r1.10 -r1.11
--- RELEASE-PLAN-3.3 2001/05/15 09:47:52 1.10
+++ RELEASE-PLAN-3.3 2001/05/15 12:59:49 1.11
@@ -75,7 +75,7 @@
Known issues in order of priority
- 1. getRequestURI() should return an encoded string (if feasible)
+ 1. Verify that JSP source is not served when escaping tricks are used
2. Update build process to create archives and internal directory
structure consistent with other Jakarta projects, i.e. use
jakarta-tomcat-3.3-xxx.
@@ -105,13 +105,16 @@
object in the session. The spec calls for the reverse.
B. setAttribute() doesn't call valueUnbound() for the
object it replaces, if present.
- 3. Session recyling includes keeping the HttpSessionFacade. I believe
+ 3. Fix getResource() to not allow access to files outside of the web
+ application.
+ 4. Session recyling includes keeping the HttpSessionFacade. I believe
this represents a security risk. May need to discard session
facades, or at least discard them for untrusted web applications.
- 4. Update getRemoteHost() to be consistent with Tomcat 3.2.2, which
+ 5. getRequestURI() should return an encoded string
+ 6. Update getRemoteHost() to be consistent with Tomcat 3.2.2, which
does a reverse DNS lookup.
- 5. Verify no reqressions.
- 6. TBD...
+ 7. Verify no reqressions.
+ 8. TBD...
Tomcat 3.3 Beta 2:
