geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Bohn <>
Subject Re: Fw: geronimo 1.0 - CSS vulnerabilities
Date Tue, 17 Jan 2006 16:52:33 GMT
Yes, but the downside of that is that you must process the same records 
over and over again each time they are viewed (by each individual user).

Making the modification when logging of the record itself makes the 
change once for any potential viewer and addresses the effort to modify 
the record at a point in time that will not affect the response of a 
user waiting to see the record.


Paul McMahan wrote:
> Either approach should work but I would prefer to address the 
> vulnerability in the log viewer portlet because it attaches the solution 
> closest to where the specific problem is at.  Also, the logger will be 
> called on every request and doing the extra string manipulations could 
> affect the web container's throughput.
> Best wishes,
> Paul
> On 1/17/06, *Joe Bohn* < 
> <>> wrote:
>     Yes, this sounds like the best way to go.
>     Regarding the specific problem with the web console displaying the web
>     access log I'd like to get some consensus.  Is this something that the
>     containers should modify when storing the URL as part of a message in
>     the appropriate web log?  (I have confirmed this is a problem with both
>     Tomcat and Jetty)
>     Or, should we address this within the web access log viewer and/or
>     management objects to modify the content of the log records when they
>     are being displayed.
>     My preference would be to make the modification at the time the log
>     record is created.
>     Joe

Joe Bohn
joe.bohn at

"He is no fool who gives what he cannot keep, to gain what he cannot 
lose."   -- Jim Elliot

View raw message