On Mon, 6 May 2002, Glenn Nielsen wrote:
> Date: Mon, 06 May 2002 14:00:33 -0500
> From: Glenn Nielsen <[EMAIL PROTECTED]>
> Reply-To: Tomcat Developers List <[EMAIL PROTECTED]>
> To: Tomcat Developers List <[EMAIL PROTECTED]>
> Subject: Re: cvs commit:
> jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/servlets
> ManagerServlet.java
>
>
>
> [EMAIL PROTECTED] wrote:
>
> > On 4 May 2002 [EMAIL PROTECTED] wrote:
> >
> >
> >> Make the "/deploy" command recognize a "META-INF/context.xml" file embedded
> >> inside the WAR, and process it as a context configuration file. This allows
> >> deployment tool clients to customize the configuration of a webapp with
> >> exactly the same degree of freedom as those that use the "/install" command,
> >> with the added benefit of being able to deploy onto a Tomcat instance
> >> running on a different server.
> >>
> >
> > This is a very dangerous path... Having server-config info in the webapp
> > is extremely dangerous, it may (easily) break the sandbox.
> >
> > Unless there's something I'm missing, context.xml will allow loading of
> > valves and other modules that have access to the server internal objects.
> > This is a huge security hole.
> >
> > Well, having the config files in webapps/ is dangerous too - IMHO
> > all potentially dangerous configs should be in conf/, since webapps
> > may be writtable to more groups. But this is far worse.
> >
> > At least add a check to disable this if a security manager is present.
> >
> >
>
>
> I agree, I added a Host config flag called "deployXML" which can disable this
> for context.xml files in the webapps dir. As long as this flag works for
> /META-INF/context.xml we are covered.
>
After reviewing the code, this protection is already in place.
The manager webapp handles any /install or /deploy command that has a
context XML file via the install(URL config, URL war) method of
StandardHostDeployer -- and this method is sensitive to the state of the
"deployXML" property already.
>
> Regards,
>
> Glenn
Craig
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
