Return-Path: Mailing-List: contact tomcat-dev-help@jakarta.apache.org; run by ezmlm Delivered-To: mailing list tomcat-dev@jakarta.apache.org Received: (qmail 74834 invoked from network); 21 Sep 2000 18:35:11 -0000 Received: from karen3.immaculate.org (HELO edamame.stinky.com) (209.60.53.27) by locus.apache.org with SMTP; 21 Sep 2000 18:35:11 -0000 Received: (qmail 1215 invoked by uid 510); 21 Sep 2000 18:20:30 -0000 Date: Thu, 21 Sep 2000 11:20:30 -0700 From: Alex Chaffee To: tomcat-dev@jakarta.apache.org Subject: Re: Outstanding bugs before 3.2 final? Message-ID: <20000921112030.I32519@edamame.stinky.com> Reply-To: alex@jguru.com References: <39CA53F6.6C9DD2D5@gefionsoftware.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: <39CA53F6.6C9DD2D5@gefionsoftware.com>; from hans@gefionsoftware.com on Thu, Sep 21, 2000 at 11:31:18AM -0700 X-Spam-Rating: locus.apache.org 1.6.2 0/1000/N This is exactly why we need to SHIP NOW before other controversial feature changes disguised as bug fixes sneak into the 3.2 code base. I agree that stack traces may be dangerous to display to unknown, untrusted users in some cases. (They reveal information about internal filesystem and class structures which could be used as part of a crack.) However, I am strongly -1 for disabling them across the board, without providing a config option. Specifically, they should be ON BY DEFAULT, and we should add a option to server.xml somewhere (not sure where -- another delay while we figure this out). - A P.S. SHIP NOW P.P.S. SHIP NOW On Thu, Sep 21, 2000 at 11:31:18AM -0700, Hans Bergsten wrote: > Larry Isaacs wrote: > > > > Hi Sam, > > > > I cleaned up some error handling last night and committed the changes this > > morning after some further testing. The change includes removing the stack > > traces from the default exception handling. I agree with Costin and others > > that this reveals more information than is desirable. > > What is the new default exception handling behavior? Is it really a security > issue to show the stack trace? I may be ignorant here, but I just don't see > it. > > The stack trace is *really* useful during debugging. In fact, it's pretty > much the only tool you have to find out what's wrong. Having to do something > special to activate it will cause a lot of grief for developers, I'm sure. > > Please explain what the security issue is so we can see if there's another > way to address it. > > Hans > -- > Hans Bergsten hans@gefionsoftware.com > Gefion Software http://www.gefionsoftware.com > > --------------------------------------------------------------------- > To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org > For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org -- Alex Chaffee mailto:alex@jguru.com jGuru - Java News and FAQs http://www.jguru.com/alex/ Creator of Gamelan http://www.gamelan.com/ Founder of Purple Technology http://www.purpletech.com/ Curator of Stinky Art Collective http://www.stinky.com/