DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=12968>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=12968 [Possible security hole?] package.access security in Catalina/CatalinaService [EMAIL PROTECTED] changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |INVALID ------- Additional Comments From [EMAIL PROTECTED] 2002-09-25 02:19 ------- This would have been very easy to verify. If you had taken the time to do so you would have found that those packaage.access and package.define settings work just fine. You end up getting a ClassNotFoundException. Here is an example JSP. In this instance the checkPackageDefinition code in the WebappClassLoader fails and a ClassNotFoundException is thrown. <html> <body> This is a test of package access. <% System.out.println("Before Class.forName()"); try { Class clazz = Class.forName("org.apache.catalina.Globals"); System.out.println("After Class.forName()"); } catch(Exception e) { System.out.println("CLAZZ Exception: " + e.getMessage()); e.printStackTrace(); } %> </body> </html> Please don't submit a bug report when you are only speculating that there may be a security bug. If you can _prove_ that there is a security bug please send email to [EMAIL PROTECTED], real security bugs should not be posted to an email list or submitted as a bugzilla report. -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
