DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=29728>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=29728 Tomcat 'admin' application allows jspf source browsing [EMAIL PROTECTED] changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|WONTFIX | ------- Additional Comments From [EMAIL PROTECTED] 2004-06-26 08:59 ------- Well Remy, I completely agree with you regarding servlet mapping. I just meant that IMHO some security constraints should be added to the distributed standard config of the 'admin' app. Otherwise unexperienced system admins may trustfully retain security holes in their production systems. My suggestions are: - consider adding <url-pattern>*.jspf</url-pattern> and <url-pattern>*.xml</url- pattern> to the security constraints (at least); - consider protection of directories from unauthorized browsing; I tried to use <url-pattern>*/</url-pattern> , but it results in an exception during server startup; so I may suggest using listings=false for the default servlet at least. Regards, Serge --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
