Anyone working on this (or should I start)? [EMAIL PROTECTED] wrote:
> On Sat, 13 Oct 2001, Pier Fumagalli wrote: > > >>On Friday, October 12, 2001, at 07:57 pm, <[EMAIL PROTECTED]> wrote: >> >>>BTW, the CGI problem doesn't seem to be resolved, it should be >>>mentioned >>>in the release notes ( for people who use sandbox - including a >>>workaround >>>maybe ) >>> >>What was the CGI problem? I don't see it in BugZilla, I might have >>lost it in the void of my vacation? >> > > It was discussed some time ago on tomcat-dev - if you run tomcat > in sandbox mode ( and assume that you can deploy webapps in > a secure way, like applets in a browser ) you'll have a bad surprise - > the webapps will be indeed restricted to what the policy file says, with > one exception - that they'll be able to execute arbitrary programs ( by > declaring the cgi/ssi servlet, adding a mapping and an exe in > the WEB-INF ). > > ( BTW, I hope the fix will be ported to various apps that include tomcat > as well, especially those using sandbox - most j2ee impl. do that... ) > > Costin > > > -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
