DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=12968>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=12968 [Possible security hole?] package.access security in Catalina/CatalinaService ------- Additional Comments From [EMAIL PROTECTED] 2002-09-26 02:50 ------- Vetting applications for security vulnerabilities is important. I applaud efforts to do so, the more eyes reviewing _and_ testing code for vulnerabilities the better. What I dislike are your methods. You speculate that there may be a security hole and post it as a critical bug. Without doing any testing to verify that your assumptions are correct. I then responded to your bug report with example code which disproves your speculation that a security bug exists. The reason I took the tone I did is because security _is_ important. When a security announcement is made regarding Tomcat it ends up in CERT advisory's and on bugtraq. Your second post now speculates on a different possible security bug related to class loading and package access. Once again without writing any code to test whether your assumptions are correct before posting. Yes, org.apache.catalina.* classes get loaded by the server class loader. (Except for those dozen or so in bootstrap.jar) But all ClassLoaders in the delegation path for a web application implement checkPackageAccess() and checkPackageDefinition(). So the packages restricted by the package.access and package.defnition properties will be honored by all of the possible class loaders which can be delegated to. Including the ClassLoader for the class path and the system classloader. Those checks will fail if _any_ classes on the java stack since the last doPrivileged() call have not been granted the appropriate permission. The test I posted proved that org.apache.catalina.* is equivalent to org.apache.catalina for the purposes of package access restrictions. Here is a good overview of how the Java SecurityManager works within Tomcat: http://kinetic.more.net/web/javaserver/security.shtml Please send any followup discussion about clasloading or the Java SecurityManager to the tomcat-dev or tomcat-uesr lists. This bug report is closed. -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
