The servlet to be disabled is the invoker servlet, not the DefaultServlet. The reason you see "DefaultServlet" so much in these postings is that the DefaultServlet can be "tricked" into serving the sources of your jsp's by invoking it over the invoker servlet, thereby treating jsp's like static content. But the trouble is originating in the invoker servlet.
Andreas Mohrig -----Original Message----- From: Adam Greene [mailto:[EMAIL PROTECTED]] Sent: Thursday, September 26, 2002 2:47 PM To: Tomcat Users List Subject: Questions about " [SECURITY] Apache Tomcat 4.x JSP source disclosure vulnerability" Maybe I don't understand, but DefaultServlet, which is supposed to serve static content is disabled... How are we supposed to serve up pictures, etc that are static?? -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
