On Thu, 26 Sep 2002, Andreas Mohrig wrote: > The servlet to be disabled is the invoker servlet, not the > DefaultServlet. The reason you see "DefaultServlet" so much in > these postings is that the DefaultServlet can be "tricked" into > serving the sources of your jsp's by invoking it over the invoker > servlet, thereby treating jsp's like static content. But the trouble > is originating in the invoker servlet.
Right. And to add a bit of perhaps clarifying information, "invoking" in this context means calling a servlet using a URL of the form: http://www.domain.com/context/servlet/full.class.name.of.servlet that is, "/servlet" is a virtual directory that invokes the invoker servlet, and "full.class.name.of.servlet" includes the package and class name of the servlet class. This was the main/only way of calling servlets way back when, but now the favored way is to define servlets in web.xml. And some say this invoking method of calling servlets should be disabled as a security precaution anyway, and only defined servlets should be allowed (i.e., even before this bug showed up). This is all controlled by a servlet definition and mapping in the web.xml (in Tomcat 4.0.X, at least, and I assume 4.1.X as well) -- look for "invoker" in it. > -----Original Message----- > From: Adam Greene [mailto:[EMAIL PROTECTED]] > Sent: Thursday, September 26, 2002 2:47 PM > To: Tomcat Users List > Subject: Questions about " [SECURITY] Apache Tomcat 4.x JSP source > disclosure vulnerability" > > Maybe I don't understand, but DefaultServlet, which is supposed to > serve static content is disabled... How are we supposed to serve up > pictures, etc that are static?? Milt Epstein Research Programmer Integration and Software Engineering (ISE) Campus Information Technologies and Educational Services (CITES) University of Illinois at Urbana-Champaign (UIUC) [EMAIL PROTECTED] -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
