tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Larry Isaacs <Larry.Isa...@sas.com>
Subject RE: Outstanding bugs before 3.2 final?
Date Thu, 21 Sep 2000 19:10:08 GMT
I'll admit I may have overstepped a bit, going for a quick fix
giving security the priority over ease of development.  I
didn't think I had time work out a configuration parameter
for server.xml.

IMHO, being able to easily guarantee that stack traces can't
occur is serious enough that it should be addressed in
Tomcat 3.2.  With stack traces in the default handler,
it would be difficult to insure that the default handler
couldn't accidentally be invoked under the right conditions.

To view stack traces the intent was to add DisplayException.jsp
as an error-page for java.lang.Throwable in the web.xml.
However, I agree this fails the ON BY DEFAULT requirement
miserably. 

So, I willing to go with the majority.  I can roll the stack
traces back into the default handling, or continue modifications
to add a configuration parameter to server.xml.  What is the
feeling on this?

I would assume that Tomcat 3.2 won't get any maintenance
releases the same as Tomcat 3.1.  I'm reluctant to just
let Tomcat 3.2 ship because it isn't clear when Tomcat 3.3
will be ready.  Because of all the changes, Tomcat 3.3
will have a new set of bugs, hopefully few because of
better design.  But given all the bugs that Watchdog
lets through, passing Watchdog isn't that good a test
as to whether it is ready to ship.  I think it will take
a while for the new bugs in Tomcat 3.3 to be tracked
down.  We really don't want to ship Tomcat's that step
backwards in functionality.

Didn't mean to get thinks stirred up. :-)

Larry

> -----Original Message-----
> From: Alex Chaffee [mailto:guru@edamame.stinky.com]
> Sent: Thursday, September 21, 2000 2:21 PM
> To: tomcat-dev@jakarta.apache.org
> Subject: Re: Outstanding bugs before 3.2 final?
> 
> 
> This is exactly why we need to SHIP NOW before other controversial
> feature changes disguised as bug fixes sneak into the 3.2 code base.
> 
> I agree that stack traces may be dangerous to display to unknown,
> untrusted users in some cases.  (They reveal information about
> internal filesystem and class structures which could be used as part
> of a crack.)
> 
> However, I am strongly -1 for disabling them across the board, without
> providing a config option.
> 
> Specifically, they should be ON BY DEFAULT, and we should add a
> <suppress-stack-traces/> option to server.xml somewhere (not sure
> where -- another delay while we figure this out).
> 
>  - A
> 
> P.S. SHIP NOW
> 
> P.P.S. SHIP NOW
> 
> 
> On Thu, Sep 21, 2000 at 11:31:18AM -0700, Hans Bergsten wrote:
> > Larry Isaacs wrote:
> > > 
> > > Hi Sam,
> > > 
> > > I cleaned up some error handling last night and committed 
> the changes this 
> > > morning after some further testing.  The change includes 
> removing the stack 
> > > traces from the default exception handling.  I agree with 
> Costin and others 
> > > that this reveals more information than is desirable.
> > 
> > What is the new default exception handling behavior? Is it 
> really a security
> > issue to show the stack trace? I may be ignorant here, but 
> I just don't see
> > it.
> > 
> > The stack trace is *really* useful during debugging. In 
> fact, it's pretty
> > much the only tool you have to find out what's wrong. 
> Having to do something
> > special to activate it will cause a lot of grief for 
> developers, I'm sure.
> > 
> > Please explain what the security issue is so we can see if 
> there's another
> > way to address it.
> > 
> > Hans
> > -- 
> > Hans Bergsten		hans@gefionsoftware.com
> > Gefion Software		http://www.gefionsoftware.com
> > 
> > 
> ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
> 
> -- 
> Alex Chaffee                       mailto:alex@jguru.com
> jGuru - Java News and FAQs         http://www.jguru.com/alex/
> Creator of Gamelan                 http://www.gamelan.com/
> Founder of Purple Technology       http://www.purpletech.com/
> Curator of Stinky Art Collective   http://www.stinky.com/
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
> 

Mime
View raw message