You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Adam Greene <ag...@romulin.com> on 2002/09/26 14:47:21 UTC
Questions about " [SECURITY] Apache Tomcat 4.x JSP source disclosure vulnerability"
Maybe I don't understand, but DefaultServlet, which is supposed to serve
static content is disabled... How are we supposed to serve up pictures, etc
that are static??
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: Questions about " [SECURITY] Apache Tomcat 4.x JSP source disclosure
vulnerability"
Posted by Tim Funk <fu...@joedog.org>.
The DefaultServlet is "ok". But is was being called by the invoker
servlet in a roundabout (unintended manner). The invoker servlet is
typically mapped to /servlet/*
The invoker servlet should be disabled. Or "restricted" using many of
the ways described in other threads.
You should be fine allowing the DefaultServlet to work.
Adam Greene wrote:
> Maybe I don't understand, but DefaultServlet, which is supposed to serve
> static content is disabled... How are we supposed to serve up pictures, etc
> that are static??
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>