DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=12968>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=12968 [Possible security hole?] package.access security in Catalina/CatalinaService Summary: [Possible security hole?] package.access security in Catalina/CatalinaService Product: Tomcat 4 Version: 4.0.4 Final Platform: Other OS/Version: Other Status: NEW Severity: Critical Priority: Other Component: Catalina AssignedTo: [EMAIL PROTECTED] ReportedBy: [EMAIL PROTECTED] >From looking at the Tomcat 4.0.4 source (I can imagine this hasn't changed in Tomcat 4.1.x), when Tomcat starts up, the Catalina class dynamically sets up package.access security when a SecurityManager is enabled. Specifically, it adds protection to "org.apache.catalina.,org.apache.jasper.". However, this won't protect the package "org.apache.catalina" itself, just the subpackages like "org.apache.catalina.core." Is this a security bug? In addition to the existing package.access check, shouldn't the dynamic package.access logic also try to protect "org.apache.catalina,org.apache.jasper"? (Note that these *don't* have the trailing period.) Thanks, Eddie -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>