tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Incze Lajos <in...@mail.matav.hu>
Subject Re: cvs commit: jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/connector/http HttpProcessor.java
Date Fri, 10 Aug 2001 22:24:12 GMT
> > And: if a bug
> > then - just theoretically - is that a goood decision to program for bugs?
> 
> What other choice would we have?  Without doing this, there's nothing
> Tomcat could do to stop you from snooping the server's entire hard
> drive.  And users would rightly say that Tomcat is broken if that were
> allowed.
> 
> Of course, you could call case insensitivity on Windows a bug as well
> :-).  Even if you don't, it's something that Tomcat has to deal with in
> order to conform to the specs that say request URIs are case sensitive.

I really was wonder just theoretically, and only speculating
where is a limit. Why not to follow a usual security scenario:

Bugtraq, illustrating (hopely on IIS server) the issues,
press release, I'm not familiar how to do that. Quietly
making a workaround leads allways to a looser position.
You will run extra code, even when an MS patch came out and
you'll be notified, or not. What to do, if the fix came out?
Leave your workaround in the code (for the sake of people
who don't know of it) or not?

On the other hand, if you documented this bug at the proper
places then all the trouble goes where it belongs to. If
tomcat works on solaris, but doesn't work on windows, and
MS doesn't fix a sec-hole, then users have a choice.

Don't know if I'm right or not, but I would go myself
on the bugtraq track.

incze

Mime
View raw message