struts-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Daniel Le Berre (JIRA)" <j...@apache.org>
Subject [jira] [Created] (WW-4891) Debug tag should not display anything when not in dev mode
Date Wed, 15 Nov 2017 08:38:00 GMT
Daniel Le Berre created WW-4891:
-----------------------------------

             Summary: Debug tag should not display anything when not in dev mode
                 Key: WW-4891
                 URL: https://issues.apache.org/jira/browse/WW-4891
             Project: Struts 2
          Issue Type: Improvement
          Components: Core Tags
    Affects Versions: 2.5.14
            Reporter: Daniel Le Berre


I noticed that the debug tag displays the content of the value stack independently of the
value of devMode.

I wonder if it would not be more secure to do not display anything if devMode=true.

I can imagine a developer forgetting to remove such kind of debug tags before the app goes
to production. Making it silent in production mode would reduce the risk to display sensitive
data.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message