Tim Funk wrote:
> There was a security flaw in 4.1.11 and earlier that so that /servlet/*
> could be used for bad things. The flaw was fixed in the invoker servlet
> for the "obvious" issues but it still leaves the door open for people to
> do other bad things if people aren't careful.
>
> In $CATALINA_HOME/conf/web.xml - look for the invoker servlet and
> uncomment it to turn that functionality back on. My guess is it is now
> commented out by default (which is a good practice to have).
>
> Personally - I hate the concept of /servlet/* being able to invoke a
> class. It may make development easier - but then you run into subtle
> security goofs.
>
> -Tim
>
Please excuse my ignorance, what's the preferred way to invoke a servlet
class file then?
I have a servlet named smimc that I defined a web.xml inside the
smimc/WEB-INF/ directory:
...
<servlet>
<servlet-name>
smimc
</servlet-name>
<servlet-class>
org.apache.turbine.Turbine
</servlet-class>
...
I used to be able to invoke it with the path /smimc/servlet/smimc
However, this doesn't seem to work anymore with the invoker turned off.
I can turn the lines in tomcat's web.xml back on but that risks
security (?). So what's the proper way for this to work then?
Will
--
William Lee (Will) | Sendmail Inc.
Email: [EMAIL PROTECTED] | http://www.sendmail.com
Tel: (510) 594-5505 |
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
