<[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > Author: markt > Date: Thu May 31 19:35:40 2007 > New Revision: 543366 > > URL: http://svn.apache.org/viewvc?view=rev&rev=543366 > Log: > Add a warning to the httpd docs. There have been a couple of security > reports, bugs and questions to the users list about this recently. > > Modified: > tomcat/connectors/trunk/jk/xdocs/reference/apache.xml > tomcat/connectors/trunk/jk/xdocs/webserver_howto/apache.xml > > Modified: tomcat/connectors/trunk/jk/xdocs/reference/apache.xml > URL: > http://svn.apache.org/viewvc/tomcat/connectors/trunk/jk/xdocs/reference/apache.xml?view=diff&rev=543366&r1=543365&r2=543366 > ============================================================================== > --- tomcat/connectors/trunk/jk/xdocs/reference/apache.xml (original) > +++ tomcat/connectors/trunk/jk/xdocs/reference/apache.xml Thu May 31 > 19:35:40 2007 > @@ -13,7 +13,8 @@ > > <body> > > -<section name="Configuration Directives"> <p> > +<section name="Configuration Directives"> > +<p> > Most of the directives are allowed once in the global part of the Apache > httpd > configuration and once in every <VirtualHost> elements. Exceptions > from this rule are > explicitely listed in the table below. > @@ -24,6 +25,10 @@ > Exceptions from this rule are > again explicitely listed in the table below. > </p> > +<p><b>The Apache httpd DocumentRoot should not overlap with a Tomcat > Host's > +appBase or the docBase of any Context. Configuring httpd/Tomcat this way > is very > +likely to result in JSP source code disclosure and/or other security > issues. > +</b></p>
IMHO, this is misleading. It requires a lot more httpd configuration to make this secure, but it isn't in and of itself insecure. And, if you are going to go this route, you should also warn about: Alias /myapp /var/tomcat/webapps/myapp > <p> > Here are the all directives supported by Apache: > </p> > > Modified: tomcat/connectors/trunk/jk/xdocs/webserver_howto/apache.xml > URL: > http://svn.apache.org/viewvc/tomcat/connectors/trunk/jk/xdocs/webserver_howto/apache.xml?view=diff&rev=543366&r1=543365&r2=543366 > ============================================================================== > --- tomcat/connectors/trunk/jk/xdocs/webserver_howto/apache.xml (original) > +++ tomcat/connectors/trunk/jk/xdocs/webserver_howto/apache.xml Thu May 31 > 19:35:40 2007 > @@ -44,6 +44,11 @@ > and <a href="../reference/apache.html">Apache</a>. > </p> > > +<p><b>The Apache httpd DocumentRoot should not overlap with a Tomcat > Host's > +appBase or the docBase of any Context. Configuring httpd/Tomcat this way > is very > +likely to result in JSP source code disclosure and/or other security > issues. > +</b></p> > + > <p> > This document was originally part of <b>Tomcat: A Minimalistic User's > Guide</b> written by Gal Shachor, > but has been split off for organizational reasons. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
