tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bill Barker" <wbar...@wilshire.com>
Subject [OT] Re: [SECURITY] Apache Tomcat 4.x JSP source disclosure vulnerability
Date Thu, 26 Sep 2002 04:53:34 GMT
I'm agreeing with Costin.  Please move this discussion to
velocity-dev@jakarta.apache.org.  It is off-topic here.

----- Original Message -----
From: "Bojan Smojver" <bojan@rexursive.com>
To: "Tomcat Developers List" <tomcat-dev@jakarta.apache.org>
Sent: Wednesday, September 25, 2002 7:33 PM
Subject: Re: [SECURITY] Apache Tomcat 4.x JSP source disclosure
vulnerability


> Not if:
>
> runtime.interpolate.string.literals = false
>
> Bojan
>
> Quoting Tim Funk <funkman@joedog.org>:
>
> > That's what code reviews are for and in absence of that - firing your
> > developers.
> >
> > Wouldn't I also get an out of memory with this in Velocity?
> >
> > #set($oom = "0000000000000000000000000000000000000000000000000000" )
> > #foreach( $i in [-2147483648..2147483648] )
> > #set($oom = "$oom$oom$oom$oom$oom$oom$oom$oom$oom$oom$oom$oom$oom$oom" )
> > #end
> >
> > Bad code can kill ANY system for the determined(disgruntled) developer.
> >
> >
> > Bojan Smojver wrote:
> > > All right then, let's talk about JSP's. If I host my clients' JSP's on
my
> > server
> > > and a web designer puts this in (BTW, he wasn't forced, he simply
decided
> > he
> > > wanted to do it):
> > >
> > > -----------------------------------------------
> > >     Hashtable strings = new Hashtable();
> > >     int i=0;
> > >     while (true)
> > >     {
> > >         strings.put ("dead"+i, new StringBuffer(999999));
> > >     }
> > > -----------------------------------------------
> > >
> >
> >
> > --
> > To unsubscribe, e-mail:
<mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
> > For additional commands, e-mail:
<mailto:tomcat-dev-help@jakarta.apache.org>
> >
> >
>
>
>
>
> -------------------------------------------------
> This mail sent through IMP: http://horde.org/imp/
>
> --
> To unsubscribe, e-mail:
<mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
> For additional commands, e-mail:
<mailto:tomcat-dev-help@jakarta.apache.org>
>


--
To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>


Mime
View raw message