head	1.12;
access;
symbols
	pkgsrc-2013Q2:1.12.0.50
	pkgsrc-2013Q2-base:1.12
	pkgsrc-2012Q4:1.12.0.48
	pkgsrc-2012Q4-base:1.12
	pkgsrc-2011Q4:1.12.0.46
	pkgsrc-2011Q4-base:1.12
	pkgsrc-2011Q2:1.12.0.44
	pkgsrc-2011Q2-base:1.12
	pkgsrc-2009Q4:1.12.0.42
	pkgsrc-2009Q4-base:1.12
	pkgsrc-2008Q4:1.12.0.40
	pkgsrc-2008Q4-base:1.12
	pkgsrc-2008Q3:1.12.0.38
	pkgsrc-2008Q3-base:1.12
	cube-native-xorg:1.12.0.36
	cube-native-xorg-base:1.12
	pkgsrc-2008Q2:1.12.0.34
	pkgsrc-2008Q2-base:1.12
	pkgsrc-2008Q1:1.12.0.32
	pkgsrc-2008Q1-base:1.12
	pkgsrc-2007Q4:1.12.0.30
	pkgsrc-2007Q4-base:1.12
	pkgsrc-2007Q3:1.12.0.28
	pkgsrc-2007Q3-base:1.12
	pkgsrc-2007Q2:1.12.0.26
	pkgsrc-2007Q2-base:1.12
	pkgsrc-2007Q1:1.12.0.24
	pkgsrc-2007Q1-base:1.12
	pkgsrc-2006Q4:1.12.0.22
	pkgsrc-2006Q4-base:1.12
	pkgsrc-2006Q3:1.12.0.20
	pkgsrc-2006Q3-base:1.12
	pkgsrc-2006Q2:1.12.0.18
	pkgsrc-2006Q2-base:1.12
	pkgsrc-2006Q1:1.12.0.16
	pkgsrc-2006Q1-base:1.12
	pkgsrc-2005Q4:1.12.0.14
	pkgsrc-2005Q4-base:1.12
	pkgsrc-2005Q3:1.12.0.12
	pkgsrc-2005Q3-base:1.12
	pkgsrc-2005Q2:1.12.0.10
	pkgsrc-2005Q2-base:1.12
	pkgsrc-2005Q1:1.12.0.8
	pkgsrc-2005Q1-base:1.12
	pkgsrc-2004Q4:1.12.0.6
	pkgsrc-2004Q4-base:1.12
	pkgsrc-2004Q3:1.12.0.4
	pkgsrc-2004Q3-base:1.12
	pkgsrc-2004Q2:1.12.0.2
	pkgsrc-2004Q2-base:1.12
	pkgsrc-2004Q1:1.11.0.10
	pkgsrc-2004Q1-base:1.11
	pkgsrc-2003Q4:1.11.0.8
	pkgsrc-2003Q4-base:1.11
	netbsd-1-6-1:1.11.0.4
	netbsd-1-6-1-base:1.11
	netbsd-1-6:1.11.0.6
	netbsd-1-6-RELEASE-base:1.11
	pkgviews:1.11.0.2
	pkgviews-base:1.11
	buildlink2:1.10.0.2
	buildlink2-base:1.11
	netbsd-1-5-PATCH003:1.8
	netbsd-1-5-PATCH001:1.6
	netbsd-1-5-RELEASE:1.3
	netbsd-1-4-PATCH003:1.3
	netbsd-1-4-PATCH002:1.1.1.1
	pkgsrc-base:1.1.1.1
	TNF:1.1.1;
locks; strict;
comment	@# @;


1.12
date	2004.04.29.18.24.55;	author erh;	state dead;
branches;
next	1.11;

1.11
date	2002.05.20.19.06.03;	author cjep;	state Exp;
branches;
next	1.10;

1.10
date	2002.04.19.17.48.21;	author jwise;	state Exp;
branches
	1.10.2.1;
next	1.9;

1.9
date	2002.04.19.15.54.21;	author jwise;	state Exp;
branches;
next	1.8;

1.8
date	2001.08.11.22.05.23;	author jwise;	state Exp;
branches;
next	1.7;

1.7
date	2001.06.21.13.12.27;	author abs;	state Exp;
branches;
next	1.6;

1.6
date	2001.03.29.22.22.13;	author jwise;	state Exp;
branches;
next	1.5;

1.5
date	2001.03.28.02.46.08;	author jwise;	state Exp;
branches;
next	1.4;

1.4
date	2000.12.13.03.49.30;	author jwise;	state Exp;
branches;
next	1.3;

1.3
date	2000.09.03.13.38.49;	author wiz;	state Exp;
branches;
next	1.2;

1.2
date	2000.05.14.23.35.27;	author jwise;	state Exp;
branches;
next	1.1;

1.1
date	2000.01.12.22.21.35;	author jwise;	state Exp;
branches
	1.1.1.1;
next	;

1.10.2.1
date	2002.06.23.19.03.55;	author jlam;	state Exp;
branches;
next	;

1.1.1.1
date	2000.01.12.22.21.35;	author jwise;	state Exp;
branches;
next	;


desc
@@


1.12
log
@Update the jakarta-tomcat package to Tomcat 5.0.19.
This is a Java Servlet 2.4 and JSP 2.0 server.
@
text
@$NetBSD: patch-aa,v 1.11 2002/05/20 19:06:03 cjep Exp $
--- build.xml.orig	Fri Oct 26 09:59:03 2001
+++ build.xml	Fri Apr 19 13:38:31 2002
@@@@ -2,15 +2,15 @@@@
 
 
   <!-- ==================== Initialization properties ===================== -->
-  <property name="ant.home" value="../jakarta-ant"/>
-  <property name="debug" value="on"/>
+  <property name="ant.home" value="${pkgsrc.prefix}"/>
+  <property name="debug" value="off"/>
   <property name="j2ee.home" value="../../j2ee/build/unix"/>
-  <property name="jaxp" value="../jaxp-1.1/jaxp.jar" />
-  <property name="parser" value="../jaxp-1.1/crimson.jar" />
+  <property name="jaxp" value="${pkgsrc.prefix}/lib/java" />
+  <property name="parser" value="${pkgsrc.prefix}/lib/java/crimson.jar" />
   <property name="optimize" value="true" />
-  <property name="servlet.jar" value="../jakarta-servletapi/lib/servlet.jar"/>
+  <property name="servlet.jar" value="${pkgsrc.prefix}/lib/java/servlet.jar"/>
   <property name="tomcat.build" value="../build/tomcat"/>
-  <property name="tomcat.dist" value="../dist/tomcat"/>
+  <property name="tomcat.dist" value="${pkgsrc.prefix}/tomcat"/>
 
 
   <!-- ======================== Copy static files ========================= -->
@@@@ -31,14 +31,18 @@@@
 
     <!-- Copy executables and scripts -->
     <copy todir="${tomcat.build}/bin">
-      <fileset dir="${ant.home}/bin" includes="ant*"/>
-      <fileset dir="src/shell"/>
+      <!-- <fileset dir="${ant.home}/bin" includes="ant*"/> -->
+      <fileset dir="src/shell" excludes="*.bat"/>
     </copy>
 
     <!-- Copy configuation files -->
     <copy todir="${tomcat.build}/conf">
       <fileset dir="src/etc"/>
     </copy>
+    <move todir="${tomcat.build}/conf/">
+      <fileset dir="${tomcat.build}/conf/" includes="jni_server.xml,server.xml,tomcat.policy,tomcat-users.xml,web.xml,workers.properties"/>
+      <mapper type="glob" from="*" to="*.default"/>
+    </move>
     <copy tofile="${tomcat.build}/conf/build.xml"
             file="build.xml"/>
 
@@@@ -51,6 +55,7 @@@@
     <copy tofile="${tomcat.build}/KEYS" file="KEYS"/>
 
     <!-- Copy library JAR files -->
+    <!--
     <copy tofile="${tomcat.build}/lib/ant.jar"
             file="${ant.home}/lib/ant.jar"/>
     <copy tofile="${tomcat.build}/lib/servlet.jar"
@@@@ -59,6 +64,7 @@@@
             file="${jaxp}"/>
     <copy todir="${tomcat.build}/lib"
             file="${parser}"/>
+    -->
 
     <!-- Copy golden files for the tests webapp -->
     <copy todir="${tomcat.build}/lib/test/Golden">
@@@@ -67,9 +73,11 @@@@
 
     <!-- Fixups for line endings and executable permissions -->
     <fixcrlf srcdir="${tomcat.build}" includes="**/*.sh" cr="remove"/>
+    <!--
     <fixcrlf srcdir="${tomcat.build}" includes="**/*.bat" cr="add"/>
     <chmod perm="+x" file="${tomcat.build}/bin/ant"/>
     <chmod perm="+x" file="${tomcat.build}/bin/antRun"/>
+    -->
     <chmod perm="+x" file="${tomcat.build}/bin/jspc.sh"/>
     <chmod perm="+x" file="${tomcat.build}/bin/startup.sh"/>
     <chmod perm="+x" file="${tomcat.build}/bin/shutdown.sh"/>
@@@@ -84,9 +92,9 @@@@
 
     <!-- Determine availability of optional components -->
     <available property="jsse.present" 
-               classname="com.sun.net.ssl.internal.ssl.Provider" />
+               classname="NotFoundForPkgsrc" />
     <available property="jdk12.present"
-               classname="java.security.PrivilegedAction" />
+               classname="NotFoundForPkgsrc" />
 
     <!-- Compile the standard Tomcat components -->
     <javac srcdir="src/share" destdir="${tomcat.build}/classes"
@@@@ -96,6 +104,8 @@@@
            deprecation="off" >
            <exclude name="**/Jdk12Interceptor.java" 
                     unless="jdk12.present"/>
+           <exclude name="**/Jdk12Support.java"
+                    unless="jdk12.present"/>
            <exclude name="**/SetSecurityManager.java" 
                     unless="jdk12.present"/>
            <exclude name="**/EmbededTomcat.java" 
@@@@ -204,8 +214,10 @@@@
     </copy>
 
     <!-- Fixups for executable permissions -->
+    <!--
     <chmod perm="+x" file="${tomcat.dist}/bin/ant"/>
     <chmod perm="+x" file="${tomcat.dist}/bin/antRun"/>
+    -->
     <chmod perm="+x" file="${tomcat.dist}/bin/jspc.sh"/>
     <chmod perm="+x" file="${tomcat.dist}/bin/startup.sh"/>
     <chmod perm="+x" file="${tomcat.dist}/bin/shutdown.sh"/>
@


1.11
log
@Add NetBSD tags.
@
text
@d1 1
a1 1
$NetBSD$
@


1.10
log
@Fix build in java2 case.  This is somewhat of a kluge for the fact that
tomcat makes mistaken assumptions about which revisions of java some
features became available in, and to ensure that the package works with
both jdk-1.1 and later (emulated) jdks.
@
text
@d1 1
@


1.10.2.1
log
@Merge from pkgsrc-current to buildlink2 branch.
@
text
@a0 1
$NetBSD: patch-aa,v 1.11 2002/05/20 19:06:03 cjep Exp $
@


1.9
log
@Update jakarta-servletapi, jakarta-tomcat, and ap-jk to version 3.2.4.

We are not advancing to the 3.3 or 4.0 branches at the moment, as neither
will work with our native JDK without a lot more work.

Changes since Tomcat 3.2.3 (the last pkgsrc version):

7.1 Fixes and Enhancements in Release 3.2.4

This section highlights the bugs fixed in this release.

  -  Cookie name expires is a reserved token (#1114)
  -  Thread initialization problem in thread pool (#1745)
  -  AJP12 returned invalid HTTP headers when redirecting to very
     long URLS (#2333)
  -  Fixed casting problem in JspFactoryImpl.getPageContext().  (#4260)
  -  Setting sesstion-timeout in web.xml did not prevent sessions from
     timing out.  (#4412)
  -  Fixed race condition in ServerSocketFactory.getDefault().  (#4418)
  -  Removed the restrictions on encoded spcecial characters in URLs
     that was added as a security precaution in 3.2.3.  The encoded
     special characters are not decoded and remain the URL and
     path info returned to servlets.
  -  Jk_nt_service now supports the ability to be restarted automatically
     by the Windows 2000 service control manager if Tomcat terminates
     abnormally.
  -  Fixed invalid servlet mapping in web.xml generated by JspC (#3474, #3499)
  -  Added findResource() and findResources() to AdaptiveClassLoader12
  -  A Date: HTTP header is now sent in responses when running stand
     alone. (#345)
  -  Simple held on to a reference to removed objects preventing
     garbage collection.
  -  Tomcat 3.2.4 now ships with JAXP 1.1.  Prior releases used
     JAXP 1.0.1.  Tomcat 3.2.4 remains completely compatible with
     the older version of JAXP and there is no requirement for users
     to upgrade to JAXP 1.1 unless their applications require the new
     version.
  -  Fixed NullPointerException in HttpConnectionHandler.  (#4577)


7.2 Security Vulnerabilities fixed in Tomcat 3.2.4

The randomness of generated session ids has been enhanced to prevent the
generation of guessable ids.
@
text
@d2 1
a2 1
+++ build.xml	Fri Apr 19 11:25:00 2002
d74 12
@


1.8
log
@Update jakarta-{servletapi,tomcat} to version 3.2.3.  The only real change
is a fix to a security problem allowing unauthorized access to protected
content.
@
text
@d1 10
a10 5
--- build.xml.orig	Tue Jul 17 07:25:27 2001
+++ build.xml	Sat Aug 11 15:23:28 2001
@@@@ -5,11 +5,11 @@@@
   <property name="ant.home" value="../jakarta-ant"/>
   <property name="debug" value="on"/>
d12 2
a13 1
-  <property name="jaxp" value="../jaxp-1.0.1" />
d15 1
d25 1
a25 1
@@@@ -30,14 +30,18 @@@@
d46 1
a46 1
@@@@ -50,14 +54,16 @@@@
a49 8
-    <copy tofile="${tomcat.build}/lib/ant.jar"
-            file="${ant.home}/lib/ant.jar"/>
-    <copy tofile="${tomcat.build}/lib/servlet.jar"
-            file="${servlet.jar}"/>
-    <copy tofile="${tomcat.build}/lib/jaxp.jar"
-            file="${jaxp}/jaxp.jar"/>
-    <copy tofile="${tomcat.build}/lib/parser.jar"
-            file="${jaxp}/parser.jar"/>
d51 7
a57 8
+    	<copy tofile="${tomcat.build}/lib/ant.jar"
+       	      file="${ant.home}/lib/ant.jar"/>
+    	<copy tofile="${tomcat.build}/lib/servlet.jar"
+      	      file="${servlet.jar}"/>
+    	<copy tofile="${tomcat.build}/lib/jaxp.jar"
+      	      file="${jaxp}/jaxp.jar"/>
+    	<copy tofile="${tomcat.build}/lib/parser.jar"
+       	      file="${jaxp}/parser.jar"/>
d62 1
a62 1
@@@@ -66,9 +72,11 @@@@
a65 3
-    <fixcrlf srcdir="${tomcat.build}" includes="**/*.bat" cr="add"/>
-    <chmod perm="+x" file="${tomcat.build}/bin/ant"/>
-    <chmod perm="+x" file="${tomcat.build}/bin/antRun"/>
d67 3
a69 3
+    	<fixcrlf srcdir="${tomcat.build}" includes="**/*.bat" cr="add"/>
+    	<chmod perm="+x" file="${tomcat.build}/bin/ant"/>
+    	<chmod perm="+x" file="${tomcat.build}/bin/antRun"/>
d74 1
a74 12
@@@@ -82,8 +90,10 @@@@
   <target name="tomcat" depends="prepare">
 
     <!-- Determine availability of optional components -->
+    <!-- no JSSE yet
     <available property="jsse.present" 
                classname="com.sun.net.ssl.internal.ssl.Provider" />
+    -->
     <available property="jdk12.present"
                classname="java.security.PrivilegedAction" />
 
@@@@ -95,6 +105,8 @@@@
d78 1
a78 1
+           <exclude name="**/Jdk12Support.java" 
d83 1
a83 10
@@@@ -107,6 +119,8 @@@@
                     unless="jdk12.present"/>
            <exclude name="**/SSLSocketFactory.java"
                     unless="jsse.present" />
+           <exclude name="**/EmbededTomcat.java" 
+                    unless="jsse.present"/>
     </javac>
 
     <!-- Copy the corresponding resource files -->
@@@@ -203,8 +217,10 @@@@
a86 2
-    <chmod perm="+x" file="${tomcat.dist}/bin/ant"/>
-    <chmod perm="+x" file="${tomcat.dist}/bin/antRun"/>
d88 2
a89 2
+    	<chmod perm="+x" file="${tomcat.dist}/bin/ant"/>
+    	<chmod perm="+x" file="${tomcat.dist}/bin/antRun"/>
@


1.7
log
@Switch to a dynamic PLIST so we can install against jdk or sun-jdk
@
text
@d1 4
a4 6
$NetBSD$

--- build.xml.orig	Tue Dec 12 22:51:36 2000
+++ build.xml
@@@@ -6,11 +6,11 @@@@
   <property name="build.compiler" value="classic"/>
d18 1
a18 1
@@@@ -31,14 +31,19 @@@@
a30 1
+      <!-- <mapper type="glob" from="*.xml" to="*.xml.default"/> -->
d39 2
a40 2
@@@@ -49,14 +54,14 @@@@
     <copy tofile="${tomcat.build}/LICENSE" file="LICENSE"/>
d51 10
a60 8
+    <!-- <copy tofile="${tomcat.build}/lib/ant.jar"
+            file="${ant.home}/lib/java/ant.jar"/> -->
+    <!-- <copy tofile="${tomcat.build}/lib/servlet.jar"
+            file="${servlet.jar}"/> -->
+    <!-- <copy tofile="${tomcat.build}/lib/jaxp.jar"
+            file="${jaxp}/jaxp.jar"/> -->
+    <!-- <copy tofile="${tomcat.build}/lib/parser.jar"
+            file="${jaxp}/parser.jar"/> -->
d64 1
a64 1
@@@@ -65,9 +70,9 @@@@
d71 5
a75 3
+    <!-- <fixcrlf srcdir="${tomcat.build}" includes="**/*.bat" cr="add"/> -->
+    <!-- <chmod perm="+x" file="${tomcat.build}/bin/ant"/> -->
+    <!-- <chmod perm="+x" file="${tomcat.build}/bin/antRun"/> -->
d79 1
a79 1
@@@@ -81,8 +86,10 @@@@
d83 1
a83 1
+    <!-- No JSSE yet
d90 3
a92 1
@@@@ -104,8 +111,10 @@@@
d94 3
a96 1
            <exclude name="**/AdaptiveClassLoader12.java" 
d98 5
a104 3
            <exclude name="**/SSLSocketFactory.java"
-                    unless="jsse.present" />
+                    unless="jsse.present"/>
d108 1
a108 1
@@@@ -202,8 +211,8 @@@@
d114 4
a117 2
+    <!-- <chmod perm="+x" file="${tomcat.dist}/bin/ant"/> -->
+    <!-- <chmod perm="+x" file="${tomcat.dist}/bin/antRun"/> -->
@


1.6
log
@Add `workers.properties' to config files which receive special treatment.
@
text
@d1 4
a4 3
$NetBSD: patch-aa,v 1.5 2001/03/28 02:46:08 jwise Exp $
--- build.xml.orig	Tue Dec 12 14:51:36 2000
+++ build.xml	Tue Mar 27 17:17:22 2001
d78 24
a101 1
@@@@ -202,8 +207,8 @@@@
@


1.5
log
@Update jakarta-tomcat to version 3.2.1.

Changes in the package since version 3.1.1 (the last pkgsrc version):
=====================================================================

  * tomcat is now always installed under ${PREFIX}/tomcat.  Making
    ${TOMCAT_HOME} configurable added much complexity for not real
    gain.

    It had been my intention to aim for a hier(7) like install for
    tomcat with this version, but at this point there are way to many
    hard-coded relative paths (relative to tomcat.home) in tomcat,
    and in addition, all of the (quite good, really) documentation
    assumes the standard install paths.

    Note that the previous default value of ${TOMCAT_HOME} was
    ${PREFIX}/jakarta/tomcat.

  * an rc.subr compatible (but not requiring) startup script is now installed
    as ${PREFIX}/etc/rc.d/tomcat.

  * if Sun's JSSE (Java Secure Socket Extensions) is in ${CLASSPATH} when
    the pkg is built, tomcat will be built with support for SSL in the
    standalone server mode.  This soft dependency will be replaced by a
    hard dependency as soon as I get a chance to import a JSSE package
    (soon).

  * likewise, I will import an ap-jk package for the new apache connector
    (mod_jk) soon.  ap-jserv continues to be usable for this purpose.

Changes in tomcat itself since version 3.1.1:
=============================================

New in tomcat-3.2.1:
--------------------
Tomcat 3.2.1 is a maintenance and bug fix release, based on the Tomcat 3.2
(final) code base.  The following changes are included:

- Disallowed requesting JSP pages under the WEB-INF directory
  (/WEB-INF/dummy.jsp).  Previously, only requests for static files
  were being disallowed.

- The JDBCRealm request interceptor will now log the description of any
  JDBC exception that occurs, to aid in debugging.

SECURITY VULNERABILITIES FIXED IN TOMCAT 3.2.1
(note that these fixes were also made to the tomcat-3.1 branch in tomcat 3.1.1)

Protection of Resources in /WEB-INF and /META-INF Directories

The servlet specification prohibits servlet containers from serving resources
in the /WEB-INF and /META-INF directories of a web application archive directly
to clients.  In Tomcat 3.2, this means that URLs like:

   http://localhost:8080/examples/WEB-INF/web.xml

will return an error message, rather than the contents of your deployment
descriptor.  However, there is a vulnerability in Tomcat 3.2 that exposes
this information if the client requests a URL like this instead:

       http://localhost:8080/examples//WEB-INF/web.xml

(note the double slash before "WEB-INF").  This vulnerability has been
corrected in Tomcat 3.2.1.

Show Source Vulnerability

The example application delivered with Tomcat 3.2 included a mechanism to
display the source code for the JSP page examples.  This mechanism could
be used to bypass the restrictions on displaying sensitive information in
the WEB-INF and META-INF directories.  This vulnerability has been removed.

New in tomcat-3.2:
------------------
Tomcat 3.2 is mainly a performance tune-up release, although a few new
features have been added.

- Support for mod_jk, which is a replacement to the elderly mod_jserv, has
  had several bugs fixed and has received much more testing.  It is now
  recommended that all users use mod_jk instead of mod_jserv.

- Support JAXP-based XML parser independence.

- New and often requested "how-to" documents covering the following topics:
     - Configuring workers.properties
     - IIS and Netscape configuration
     - Running tomcat inside an IIS or Netscape process
     - Running Tomcat as a Windows NT service
     - Configuring a JDBC realm
     - Configuring mod_jk

- First round of policy-based security support intended for running untrusted
  code inside of Tomcat.  Interested users should test this support and post
  feedback to the Tomcat users mailing list.

- SSL support for standalone Tomcat. (Preliminary support first appeared in
  3.1, but the support in 3.2 has received more testing and documentation
  support).

- Thread reuse is now enabled by default. The thread pool support code was part
  of 3.1, but not enabled since it was new.

- Support for plug-able session managers.  Unfortunately, no how-to documents
  that support this functionality exist (yet). For the adventurous, be aware
  that the interface that allows administrators to plug session managers is
  the normal Interceptor interface.

- An almost total rewrite of the HTTP request handling now results in improved
  performance when running Tomcat stand-alone.

- Significantly reduced garbage collection.

- The code underwent a refactoring effort resulting in improved readability.

- And of course, hundreds of miscellaneous improvements and fixes.
@
text
@d1 1
a1 1
$NetBSD$
d35 1
a35 1
+      <fileset dir="${tomcat.build}/conf/" includes="jni_server.xml,server.xml,tomcat.policy,tomcat-users.xml,web.xml"/>
@


1.4
log
@Update jakarta-tomcat to 3.1.1.  This is a security fix release, and the
vulnerabilities file will be updated.

Changes from jakarta-tomcat-3.1:

===============================================================================
6.  SECURITY VULNERABILITIES FIXED IN TOMCAT 3.1.1


6.1 Administrative Application Enabled By Default

The administrative application (at context path "/admin") was enabled by
default in Tomcat 3.1, which allowed unauthenticated remote users to add and
remove appliations from a running Tomcat 3.1 installation if it was left
installed.

To avoid such problems, the administrative application has been removed from
the binary distribution of Tomcat 3.1.1.  It can be installed if desired by:
- Downloading the source distribution of Tomcat 3.1.1.
- Modifying the "build.xml" file to remove the commenting around the
  logic that creates the adminstrative application.
- Running the build.sh or build.bat script.


6.2 Case Sensitive Matches on Static Resources

In Tomcat 3.1, matches against the filenames of static resources was done in a
case insensitive manner on case insensitive platforms (such as Microsoft
Windows).  This can cause sensitive information to be exposed to remote users
who experiment with differently cased request URIs.

To avoid such problems, Tomcat 3.1.1 performs filename comparisons for static
resources in a case sensitive manner, even on Windows.  This means that your
hyperlinks must specify the correct case, or a 404 error will be returned.

Because this can cause significant conversion problems for existing
applications deployed on Tomcat 3.1, a configuration option is provided to
temporarily turn off case sensitive matching.  Edit the file "conf/web.xml"
and modify the value for the "caseSensitive" initialization parameter to the
default file-serving servlet.

WARNING:  CHANGING THIS SETTING WILL RE-INTRODUCE THE SECURITY VULNERABILITY
PRESENT IN TOMCAT 3.1 -- IT IS *STRONGLY* RECOMMENDED THAT YOU CORRECT YOUR
URLS TO MATCH CORRECTLY INSTEAD OF USING THIS OPTION.  Note:  All later
versions of Tomcat perform filename matches in a case sensitive manner.


6.3 Snoop Servlet Mappings in Example Application

In the deployment descriptor for the example application delivered with
Tomcat 3.1, a "snoop" servlet was mapped to URL patterns "/snoop" and
"*.snp".  Theses mappings (in particular the second one) could cause exposure
of sensitive information on the internal organization of your web application
(for example, when a non-existent page "foo.snp" is requested).

To avoid these problems, the offending mappings have been commented out.


6.4 Show Source Vulnerability

The example application delivered with Tomcat 3.1 included a mechanism to
display the source code for the JSP page examples.  This mechanism could
be used to bypass the restrictions on displaying sensitive information in
the WEB-INF and META-INF directories.  This vulnerability has been removed.


6.5 Requesting Unknown JSP Pages

In Tomcat 3.1, the error message in response to a request for an unknown JSP
page would include the absolute disk file pathname of the corresponding file
which could not be found, which exposes sensitive information about how your
application is deployed.  The error message has been adjusted to include only
the context-relative path of the JSP page which could not be found.


6.6 Session ID Vulnerability

The algorithm used to calculate session identifiers for new sessions was
subject to attack by attempting to guess what the next session identifier will
be, and therefore hijack the session.  In addition, the generated identifier
exposed sensitive information (the number of sessions that have been created
since this web application was started.

To avoid these problems, the session identifier generation algorithm has been
replaced by the algorithm used in Tomcat 3.2, which is not subject to these
attacks, and does not expose session count information.


6.7 Server Shutdown Vulnerability

In Tomcat 3.1, it was possible to establish a remote network connection to the
AJP12 connector and cause Tomcat to shut itself down.  Now, this network
connection must be created from the same server that Tomcat is running on.

NOTE:  While this is more secure than Tomcat 3.1 (and mirrors the protection
provided by Tomcat 3.2), it is still vulnerable to attack by users who can
create socket connections from the server.  Suitable use of firewalls and
"TCP Wrappers" applications are suggested around the APJ12 port.
@
text
@d2 14
a15 9
--- build.xml.orig	Tue Dec 12 14:50:46 2000
+++ build.xml	Tue Dec 12 18:53:17 2000
@@@@ -6,7 +6,7 @@@@
     <property name="ant.home" value="../jakarta-ant" />
     <property name="build.compiler" value="classic"/>
     <property name="tomcat.build" value="../build/tomcat"/>
-    <property name="tomcat.home" value="../dist/tomcat"/>
+    <property name="tomcat.home" value="@@JAKARTA_HOME@@/tomcat"/>
   </target>
d17 71
a87 1
   <!-- ==================== Copy static files ==================== -->
@


1.3
log
@add RCS Ids
@
text
@d2 2
a3 2
--- build.xml.orig	Sun May 14 17:16:26 2000
+++ build.xml	Sun May 14 17:17:45 2000
d5 8
a12 8
     <property name="ant.home" value="../jakarta-ant" />
     <property name="build.compiler" value="classic"/>
     <property name="tomcat.build" value="../build/tomcat"/>
-    <property name="tomcat.home" value="../dist/tomcat"/>
+    <property name="tomcat.home" value="@@JAKARTA_HOME@@/tomcat"/>
   </target>
 
   <!-- ==================== Copy static files ==================== -->
@


1.2
log
@Update jakarta-tomcat to version 3.1.  While here, clean up the package
a fair deal.

Changes from 3.0 (the last pkgsrc version) include:

    * Thread pooling and JVM load balancing
    * ISAPI and NSAPI integration
    * A Command line JSP to Servlet Code tool
    * Automatic generation of Apache configuration files
    * Automatic deployment of Web ARchive (WAR) files
    * Logging
    * Substantially improved documentation
    * Experimental servlet reloading
    * Experimental security implementation
    * Minimal Admin/Deployment Tool
    * Internal APIs were changed for flexibility and integration
    * The source code was cleaned and reorganized
    * Most non-essential code was moved out of tomcat.core
    * Greater platform / JVM level coverage
    * Many, many bugs were fixed.

IMHO, this is _much_ closer to being a real, usable platform than 3.0 was
(as was intender - 3.0 was more of a proof of concept), and is very close
to being something to push into production -- I'm banking on a late 3.1.X
or 3.2 for that.
@
text
@d1 1
@


1.1
log
@Initial revision
@
text
@d1 11
a11 12
$NetBSD$
--- build.xml.orig	Wed Jan 12 14:17:55 2000
+++ build.xml	Wed Jan 12 14:19:03 2000
@@@@ -1,7 +1,7 @@@@
 <project name="Tomcat" default="main" basedir=".">
   <property name="build.compiler" value="classic"/>
   <property name="tomcat.build" value="../build/tomcat"/>
-  <property name="tomcat.home" value="../dist/tomcat"/>
+  <property name="tomcat.home" value="@@TOMCAT_HOME@@"/>
   <property name="test.classpath" value="${tomcat.build}/classes:../jakarta-tools/moo.jar" />
 
   <!-- Create directories, copy static files -->
@


1.1.1.1
log
@Initial import of jakarta-tomcat-3.0, the Apache Project Servlet/Java
Server Pages engine.

This currently runs as a standalone http server with Servlet/JSP support,
and will be usable with Apache Server if/when we have a mod_jserv package.
I will look into that next, unless someone is already.
@
text
@@