Re: [CVE-2008-2370] Apache Tomcat information disclosure vulnerability

2008-08-02 Thread Mark Thomas
William A. Rowe, Jr. wrote: Mark Thomas wrote: Description: When using a RequestDispatcher the target path was normalised before the query string was removed. A request that included a specially crafted request parameter could be used to access content that would otherwise be protected by a sec

Re: [CVE-2008-2370] Apache Tomcat information disclosure vulnerability

2008-08-02 Thread William A. Rowe, Jr.
Mark Thomas wrote: What mitigations are you thinking of? The description is intended to be sufficient for a user to determine if they match the vulnerability conditions. And this for this notice I believe it meets this criteria. In this case there is no way of configuring yourself away from

DO NOT REPLY [Bug 43656] ELSupport.coerceToType modifies BigDecimal Values

2008-08-02 Thread bugzilla
https://issues.apache.org/bugzilla/show_bug.cgi?id=43656 Luke Kolin <[EMAIL PROTECTED]> changed: What|Removed |Added Status|RESOLVED|REOPENED

JspValueExpression behavior different

2008-08-02 Thread Arnold Schneeberger
Why does the methode "isLiteralText" always return "true" in my custom tag? There are obvious different behaviors between jetty and tomcat. public class EncryptedEmailTag extends UIComponentELTag { ... private ValueExpression address; ... protected void setPro

Re: JspValueExpression behavior different

2008-08-02 Thread Mark Thomas
Arnold Schneeberger wrote: Why does the methode "isLiteralText" always return "true" in my custom tag? There are obvious different behaviors between jetty and tomcat. Probably a bug. Mark - To unsubscribe, e-mail: [EMAIL PR

svn commit: r682042 - /tomcat/tc6.0.x/trunk/STATUS.txt

2008-08-02 Thread markt
Author: markt Date: Sat Aug 2 13:06:35 2008 New Revision: 682042 URL: http://svn.apache.org/viewvc?rev=682042&view=rev Log: Update fix Modified: tomcat/tc6.0.x/trunk/STATUS.txt Modified: tomcat/tc6.0.x/trunk/STATUS.txt URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS.txt?rev=6

AW: JspValueExpression behavior different

2008-08-02 Thread Arnold Schneeberger
Is there a workaround - or what you mean with "probably a bug" -Ursprüngliche Nachricht- Von: Mark Thomas [mailto:[EMAIL PROTECTED] Gesendet: Samstag, 02. August 2008 20:40 An: Tomcat Developers List Betreff: Re: JspValueExpression behavior different Arnold Schneeberger wrote: > Why does

Re: AW: JspValueExpression behavior different

2008-08-02 Thread Mark Thomas
Arnold Schneeberger wrote: Is there a workaround - or what you mean with "probably a bug" I mean that if the behaviours are different, at least one implementation has a bug. From a quick scan, it looks like Tomcat is in the wrong but I haven't looked at it in any detail. Mark ---