tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alex Chaffee <g...@edamame.stinky.com>
Subject Re: Security: printStackTrace :-)
Date Tue, 15 Aug 2000 09:45:22 GMT
> In Logger we do a printStackTrace for the original exception ( can be
> ServletException ) and also on the "rootCause" exception ( using
> getRootCause). This is a very useful information and feature, but it may
> open a wrong door.

If we disable printStackTrace, we should do so via a flag in
server.xml.  Make the secure option default the default, but put a
comment describing the tradeoff.  I think we already talked about
disabling stack traces on error pages, but it seems like nobody did
anything about it, since I still see stack traces occasionally.

But hmm, if there is a problem like you describe, it applies both to
printStackTrace onto a web page *and* into a log file... Hope you're
just being paranoid :-)


-- 
Alex Chaffee                       mailto:alex@jguru.com
jGuru - Java News and FAQs         http://www.jguru.com/alex/
Creator of Gamelan                 http://www.gamelan.com/
Founder of Purple Technology       http://www.purpletech.com/
Curator of Stinky Art Collective   http://www.stinky.com/

Mime
View raw message