Add an option to the Context to control the blocking of XML external entities when parsing XML configuration files and enable this blocking by default when a security manager is used. The block is implemented via a custom resolver to enable the logging of any blocked entities.
This is the fix for CVE-2013-4590.
|
tomcat/tc6.0.x/trunk/STATUS.txt