Right, there are no security sensitive classes in Tomcat 4 o.a.c.util.
I advocated at one time identifying which packages within o.a.c contain
security sensitive code and which don't. And documenting this so that
a security sensitive class doesn't get added to a package considered public.
For s
Hi Glenn,
your last addition seems, IMO, to open a security isssue with classes
located under the o.a.c.util directory. Actually, maybe not for Tomcat
4.1, but for 5.0, I have created a class called SecurityAudit.java that
contains some security check. If we port your latest changes, this clas
