You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by Mark Thomas <ma...@apache.org> on 2005/02/22 00:42:05 UTC

[SECURITY ISSUE] Using allowLinking with deprecated HTTP 1.1 connector

All,

A security issue has come to light where a mal-formed request may result 
in JSP source code disclosure.

This issue only applies if all of the following are true:
1. You are using any Tomcat 4 version >= 4.1.15
2. You are using the deprecated HTTP 1.1 connector 
(org.apache.catalina.connector.http.HttpConnector)
3. You have configured 1 or more contexts served by the connector with a 
resources element that uses the allowLinking parameter and this 
parameter is set to true.

The fix is to use the Coyote HTTP connector 
(org.apache.coyote.tomcat4.CoyoteConnector).

The on-line Tomcat 4 docs have been updated to include a warning about 
this configuration combination. The next Tomcat 4 release will include 
the updated documentation.

If you are using Tomcat 4 with the standard Coyote HTTP connector this 
issue does not apply.

Tomcat 5.0.x and 5.5.x are unaffected by this issue.

Thanks are due to Glenn Choat who reported this issue to the Tomcat team 
  last week.

As a reminder, if you have a verified security bug to report please do 
not post it to email lists or submit a bug report. Security bugs should 
be reported privately by email to security@apache.org

Regards,

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org