tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alex Chaffee <>
Subject Re: Outstanding bugs before 3.2 final?
Date Thu, 21 Sep 2000 18:20:30 GMT
This is exactly why we need to SHIP NOW before other controversial
feature changes disguised as bug fixes sneak into the 3.2 code base.

I agree that stack traces may be dangerous to display to unknown,
untrusted users in some cases.  (They reveal information about
internal filesystem and class structures which could be used as part
of a crack.)

However, I am strongly -1 for disabling them across the board, without
providing a config option.

Specifically, they should be ON BY DEFAULT, and we should add a
<suppress-stack-traces/> option to server.xml somewhere (not sure
where -- another delay while we figure this out).

 - A



On Thu, Sep 21, 2000 at 11:31:18AM -0700, Hans Bergsten wrote:
> Larry Isaacs wrote:
> > 
> > Hi Sam,
> > 
> > I cleaned up some error handling last night and committed the changes this 
> > morning after some further testing.  The change includes removing the stack 
> > traces from the default exception handling.  I agree with Costin and others 
> > that this reveals more information than is desirable.
> What is the new default exception handling behavior? Is it really a security
> issue to show the stack trace? I may be ignorant here, but I just don't see
> it.
> The stack trace is *really* useful during debugging. In fact, it's pretty
> much the only tool you have to find out what's wrong. Having to do something
> special to activate it will cause a lot of grief for developers, I'm sure.
> Please explain what the security issue is so we can see if there's another
> way to address it.
> Hans
> -- 
> Hans Bergsten
> Gefion Software
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

Alex Chaffee             
jGuru - Java News and FAQs
Creator of Gamelan       
Founder of Purple Technology
Curator of Stinky Art Collective

View raw message