> Remy Maucherat wrote: > > > > A security vulnerability affecting the sandboxing provided by the Java > > Security Manager has been discovered. The request dipatcher functionality of > > the Servlet API could be used by a malicious servlet or JSP page to get > > access to any resource located on the server's filesystem, bypassing the > > Security Manager protection. > > > > Note: People who are not using Tomcat with the Security Manager are not > > affected by this problem, and do not need to upgrade. > > > > This statement is misleading. I reviewed the bug report and patch. > The security bug had nothing to do with the SecurityManager implementation > itself. It was due to the file path not being normalized before getting > the RequestDispatcher for it. Tomcat would be vulnerable to this regardless > of whether it was running with the SecurityManager or not. > > In fact if you were running Tomcat with the SecurityManager enabled and > a strict catalina.policy which restricted file access with FilePermissions > you would be less vulnerable than Tomcat running without the SecurityManager. > > Sorry this is a a few hours too late for the announcement. > > Perhaps a followup announcement could be made to correct this.
I agree, but if you don't have the security manager, a malicious servlet could already use direct filesystem access to read any file on the server, which is a lot easier to use than this vulnerability. So the vulnerability doesn't make it more insecure (but it's still a spec compliance bug). OTOH, if you have the security manager, you're supposed to be protected, regardless of whether or not there's a bug in the request dispatcher. Remy -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
