tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bob Herrmann <...@jadn.com>
Subject RE: [SECURITY] Apache Tomcat 4.x JSP source disclosure vulnerability
Date Thu, 26 Sep 2002 01:31:46 GMT
With power comes responsibility.

<% System.exit(1) %>

-bob

P.S. Yea, I know the SecurityManager can catch this, if enabled.

On Wed, 2002-09-25 at 21:22, Bojan Smojver wrote:
> Quoting Costin Manolache <cmanolache@yahoo.com>:
> 
> > And Velocity does have a mailing list where all this can be discussed.
> > 
> > This is tomcat-dev - for servlet and jsp development.
> > 
> > If you have any ideas on how to improve jasper - great, but please don't
> > waste our time with off topic subjects. Comments and sugestions on JSP spec 
> > can be addressed to the feedback address from Sun, we just implement it.
> > 
> > ( and BTW, nobody forces you to use any java inside the JSP if you don't
> > want to, or any of the features that are specific to jsps. )
> 
> All right then, let's talk about JSP's. If I host my clients' JSP's on my server
> and a web designer puts this in (BTW, he wasn't forced, he simply decided he
> wanted to do it):
> 
> -----------------------------------------------
>     Hashtable strings = new Hashtable();
>     int i=0;
>     while (true)
>     {
>         strings.put ("dead"+i, new StringBuffer(999999));
>     }
> -----------------------------------------------
> 
> What would happen to my Tomcat? I think this is called OutOfMemoryError and it
> would affect every single web application running in that instance of Tomcat,
> possibly owned by some other clients of mine. Completely unacceptable...
> 
> Web applications are collection programs and other stuff, for instance web
> pages. However, web pages should not be programs because they are (usually)
> maintained by non-programmers. The fact that you know what you're doing doesn't
> exuse the shortcomings of the technology.
> 
> Bojan
> 
> -------------------------------------------------
> This mail sent through IMP: http://horde.org/imp/
> 
> --
> To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
> For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>
-- 
Bob Herrmann <bob@jadn.com>


--
To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>


Mime
View raw message