DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=8263>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=8263 url-pattern easyly to circumvent Summary: url-pattern easyly to circumvent Product: Tomcat 3 Version: 3.2.1 Final Platform: PC OS/Version: Linux Status: NEW Severity: Critical Priority: Other Component: Webapps AssignedTo: [EMAIL PROTECTED] ReportedBy: [EMAIL PROTECTED] Its seems easy to circumvent the security-constraint set in a web.xml file. If the url-pattern e.g. is /notaccessable/* then typing the url in a browser like the following provides a listing were you can click and view every file. http://domain:port/.//notaccessable/ If you know the name, you can type it just behind the last slash and you get the file imediately. Am I something missing ?? Can this somehow be fixed? -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
