I read "Up until Apache Tomcat 4.1.12, the invoker was enabled by default. However, a security flaw was recently uncovered whereby the invoker servlet could be used to see the source code of servlets that were generated from JSP pages."
Does anyone know if this has been fixed in 5.5.7? I guess not since the automatic invoker is still turned off by default.
That Tomcat's own contributors call it "Evil" is enough cause for me to look at it "no further".
Given that there is a good sized list of excellent reasons not to ever use it (and that no reasonable person will ever use it), the community that contributes to Tomcat would be right in deciding that any further work on it would be an absolute waste of time.