tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Remy Maucherat" <r...@apache.org>
Subject Re: cvs commit: jakarta-tomcat/src/share/org/apache/tomcat/modules/generators StaticInterceptor.java
Date Tue, 16 Apr 2002 12:12:11 GMT
> Hi Remy,
>
> > I actually tried the test case (I guess I should have tried it before
> ...),
> > and it didn't do what I thought it would do. This does not qualify as a
> > security issue by my book, though (it is recommended to test your
> > application before putting it in production).
>
> Now I have a simple question: Do you think this is a Tomcat bug or not?

It looks like it.
I have to look into the issue more, I suppose.

> About the security issue (or not): We _did_ test our application. We just
> didn't expect that a working JSP would change its behaviour just because
we
> include it from another one! Also think about third party components. If
you
> have a third party JSP that does a forward, you can never be sure it works
> within an include. The bottom line is: JSPs should _never_ be served as
> static content (except an application explicitly changes the .jsp mapping
or
> serves it itself). Everything else is at least a bug. Sorry for repeating
> this again and again, but Orion and Resin don't have this issue and I'd
love
> to fix Tomcat provided I get some positive feedback regarding my proposed
> solution.

I have no opinion on it at the moment.

Remy


--
To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>


Mime
View raw message