tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bojan Smojver <>
Subject RE: [SECURITY] Apache Tomcat 4.x JSP source disclosure vulnerability
Date Thu, 26 Sep 2002 01:22:45 GMT
Quoting Costin Manolache <>:

> And Velocity does have a mailing list where all this can be discussed.
> This is tomcat-dev - for servlet and jsp development.
> If you have any ideas on how to improve jasper - great, but please don't
> waste our time with off topic subjects. Comments and sugestions on JSP spec 
> can be addressed to the feedback address from Sun, we just implement it.
> ( and BTW, nobody forces you to use any java inside the JSP if you don't
> want to, or any of the features that are specific to jsps. )

All right then, let's talk about JSP's. If I host my clients' JSP's on my server
and a web designer puts this in (BTW, he wasn't forced, he simply decided he
wanted to do it):

    Hashtable strings = new Hashtable();
    int i=0;
    while (true)
        strings.put ("dead"+i, new StringBuffer(999999));

What would happen to my Tomcat? I think this is called OutOfMemoryError and it
would affect every single web application running in that instance of Tomcat,
possibly owned by some other clients of mine. Completely unacceptable...

Web applications are collection programs and other stuff, for instance web
pages. However, web pages should not be programs because they are (usually)
maintained by non-programmers. The fact that you know what you're doing doesn't
exuse the shortcomings of the technology.


This mail sent through IMP:

To unsubscribe, e-mail:   <>
For additional commands, e-mail: <>

View raw message