Explicit declarations of servlets in web.xml and explicit mappings to the declared servlets. If things need to be dynamically invoked - measures need to be put in place to prevent abuse. Currently - the /servlet/ patch only blocks certain servlets but can still let others be dynamically invoked accidently.
For example: using library XYZ provides a common good which can be also administered via some servlets. Since the servlets are in a common location - they may be invoked by the invoker via: /servlet/com.nice.package.Class/args/to/do?something=bad So you might be allowed to get shot in the foot without knowing it. I prefer the explicit mapping. Allowing a class name as an arguement to be dynamically invoked is asking for trouble. This is especially true when working with multiple developers of various skill levels. The experienced ones will open the bad doors but be wise enough to put safeguards in to close them. The inexperienced ones will mimic the same behavior - but leave some holes open. In such a time constrained/closed environment - we will be ok from a security point of view. Until someone gets pissed off and leaves OR another exploit is opened which triggeres a chain reaction of previously undiscovered issues. William Lee wrote: > Tim Funk wrote: > >> There was a security flaw in 4.1.11 and earlier that so that >> /servlet/* could be used for bad things. The flaw was fixed in the >> invoker servlet for the "obvious" issues but it still leaves the door >> open for people to do other bad things if people aren't careful. >> >> In $CATALINA_HOME/conf/web.xml - look for the invoker servlet and >> uncomment it to turn that functionality back on. My guess is it is now >> commented out by default (which is a good practice to have). >> >> Personally - I hate the concept of /servlet/* being able to invoke a >> class. It may make development easier - but then you run into subtle >> security goofs. >> >> -Tim >> > > Please excuse my ignorance, what's the preferred way to invoke a servlet > class file then? > > I have a servlet named smimc that I defined a web.xml inside the > smimc/WEB-INF/ directory: > > ... > <servlet> > <servlet-name> > smimc > </servlet-name> > <servlet-class> > org.apache.turbine.Turbine > </servlet-class> > ... > > I used to be able to invoke it with the path /smimc/servlet/smimc > > However, this doesn't seem to work anymore with the invoker turned off. > I can turn the lines in tomcat's web.xml back on but that risks > security (?). So what's the proper way for this to work then? > > Will > > -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
