DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=9344>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=9344 Security risk at HttpSessionEvent Source Summary: Security risk at HttpSessionEvent Source Product: Tomcat 4 Version: 4.0.4 Beta 3 Platform: Other OS/Version: Other Status: NEW Severity: Normal Priority: Other Component: Catalina AssignedTo: [EMAIL PROTECTED] ReportedBy: [EMAIL PROTECTED] Found at StandardSession following that at passivate and activate not the StandardSessionFacade are the event source ! orginal: --- L642-679 public void passivate() { // Notify ActivationListeners HttpSessionEvent event = null; String keys[] = keys(); for (int i = 0; i < keys.length; i++) { Object attribute = getAttribute(keys[i]); if (attribute instanceof HttpSessionActivationListener) { if (event == null) event = new HttpSessionEvent(this); // FIXME: Should we catch throwables? ((HttpSessionActivationListener)attribute).sessionWillPassivate (event); } } } /** * Perform internal processing required to activate this * session. */ public void activate() { // Notify ActivationListeners HttpSessionEvent event = null; String keys[] = keys(); for (int i = 0; i < keys.length; i++) { Object attribute = getAttribute(keys[i]); if (attribute instanceof HttpSessionActivationListener) { if (event == null) event = new HttpSessionEvent(this); // FIXME: Should we catch throwables? ((HttpSessionActivationListener)attribute).sessionDidActivate (event); } } } better are :: public void passivate() { // Notify ActivationListeners HttpSessionEvent event = new HttpSessionEvent(getSession); String keys[] = keys(); for (int i = 0; i < keys.length; i++) { Object attribute = getAttribute(keys[i]); if (attribute instanceof HttpSessionActivationListener) { // FIXME: Should we catch throwables? ((HttpSessionActivationListener)attribute).sessionWillPassivate (event); } } } /** * Perform internal processing required to activate this * session. */ public void activate() { // Notify ActivationListeners HttpSessionEvent event = new HttpSessionEvent(getSession()); String keys[] = keys(); for (int i = 0; i < keys.length; i++) { Object attribute = getAttribute(keys[i]); if (attribute instanceof HttpSessionActivationListener) { // FIXME: Should we catch throwables? ((HttpSessionActivationListener)attribute).sessionDidActivate (event); } } } Also I thing the throwables better catch! Other Risk is that getServletContext() not give the ServletContextFacade at StandardSessionFacade. Also the risky implemtation at ApplicationContext! All Event have the Orignal StandardContext Object and not the ApplicationContextFacade at source. -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
