tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bojan Smojver <bo...@rexursive.com>
Subject Re: [SECURITY] Apache Tomcat 4.x JSP source disclosure vulnerability
Date Thu, 26 Sep 2002 02:33:31 GMT
Not if:

runtime.interpolate.string.literals = false

Bojan

Quoting Tim Funk <funkman@joedog.org>:

> That's what code reviews are for and in absence of that - firing your 
> developers.
> 
> Wouldn't I also get an out of memory with this in Velocity?
> 
> #set($oom = "0000000000000000000000000000000000000000000000000000" )
> #foreach( $i in [-2147483648..2147483648] )
> #set($oom = "$oom$oom$oom$oom$oom$oom$oom$oom$oom$oom$oom$oom$oom$oom" )
> #end
> 
> Bad code can kill ANY system for the determined(disgruntled) developer.
> 
> 
> Bojan Smojver wrote:
> > All right then, let's talk about JSP's. If I host my clients' JSP's on my
> server
> > and a web designer puts this in (BTW, he wasn't forced, he simply decided
> he
> > wanted to do it):
> > 
> > -----------------------------------------------
> >     Hashtable strings = new Hashtable();
> >     int i=0;
> >     while (true)
> >     {
> >         strings.put ("dead"+i, new StringBuffer(999999));
> >     }
> > -----------------------------------------------
> > 
> 
> 
> --
> To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
> For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>
> 
> 




-------------------------------------------------
This mail sent through IMP: http://horde.org/imp/

--
To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>


Mime
View raw message