Just a guess....... Because someone could theoretically drop a servlet into your file system programmed to issue commands passed in as a parameter and execute them as root?
----- Original Message ----- From: "Randy Paries" <[EMAIL PROTECTED]> To: "'Tomcat Users List'" <[EMAIL PROTECTED]> Sent: Thursday, December 19, 2002 10:19 AM Subject: RE: Should not be this hard(why is this a security risk) > That is what I needed ... > > Thanks all > > To follow this up, why is this a security risk? > > Do they want specific mapping for each servlet? > > Thanks > > -----Original Message----- > From: PELOQUIN,JEFFREY (HP-Boise,ex1) [mailto:[EMAIL PROTECTED]] > Sent: Thursday, December 19, 2002 9:54 AM > To: 'Tomcat Users List' > Subject: RE: Should not be this hard > > > >From the release notes > > ------------------------ > Enabling invoker servlet: > ------------------------ > > Starting with Tomcat 4.1.12, the invoker servlet is no longer available > by > default in all webapp. Enabling it for all webapps is possible by > editing $CATALINA_HOME/conf/web.xml to uncomment the "/servlet/*" > servlet-mapping definition. > > Using the invoker servlet in a production environment is not recommended > and is unsupported. > > -----Original Message----- > From: Randy Paries [mailto:[EMAIL PROTECTED]] > Sent: Thursday, December 19, 2002 8:51 AM > To: 'Tomcat Users List' > Subject: Should not be this hard > > > Hello, me again > > This should have been so easy (famous last words) > > I am upgrading from tomcat jakarta-tomcat-4.0.4 to jakarta-tomcat-4.1.17 > 4.0.4 was working fine..... > > For some reason I can not find my servlets ARG! > > In my web.xml I have a <load-on-startup/> and in the log file , the > servlet Starts ok.... But if I goto > http://bart.mydomain.com:8080/servlet/uServlet > I get a 404....... > > Here is some details. I have to be missing something very simple. > > My static html and jsps work ok when I goto > http://bart.mydomain.com:8080/index.html > http://bart.mydomain.com:8080/jsp/dirgloblogin.jsp > > But if I goto http://bart.mydomain.com:8080/servlet/uServlet > I get a 404 > > from the log file I get : > > 2002-12-19 09:42:13 StandardContext[]: Mapping contextPath='' with > requestURI='/servlet/uServlet' and relativeURI='/servlet/uServlet > > 2002-12-19 09:42:13 StandardContext[]: Trying exact match > 2002-12-19 09:42:13 StandardContext[]: Trying prefix match > 2002-12-19 09:42:13 StandardContext[]: Trying extension match > 2002-12-19 09:42:13 StandardContext[]: Trying default match > 2002-12-19 09:42:13 StandardContext[]: Mapped to servlet 'default' with > servlet path '/servlet/uServlet' and path info 'null' and update=true > 2002-12-19 09:42:13 default: DefaultServlet.serveResource: Serving > resource '/servlet/uServlet' headers and data > > > In my server.xml I have > > <Engine name="Standalone" defaultHost="localhost" debug="9"> > > <Host name="localhost" debug="0" appBase="/home/unit" unpackWARs="true" > autoDeploy="true"> > > <Context path="" > docBase="/home/unit" > crossContext="true" > debug="9" > reloadable="false" > > </Context> > > > #ls -ls /home/unit/WEB-INF/classes > total 104 > 32 -rwxrwxrwx 1 apache apache 32734 Dec 18 21:31 > bbsServlet.class > 4 drwxrwxrwx 3 apache apache 4096 Aug 24 22:19 com > 36 -rw-rw-r-- 1 apache apache 33984 Nov 6 15:43 > EditjsServlet.class > 32 -rwxrwxrwx 1 apache apache 31030 Dec 18 21:31 > uServlet.class > > Thanks for any Help!!! > > > > > -- > To unsubscribe, e-mail: > <mailto:[EMAIL PROTECTED]> > For additional commands, e-mail: > <mailto:[EMAIL PROTECTED]> > > -- > To unsubscribe, e-mail: > <mailto:[EMAIL PROTECTED]> > For additional commands, e-mail: > <mailto:[EMAIL PROTECTED]> > > > > -- > To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> > For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> > -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
