Mailing-List: contact tomcat-dev-help@jakarta.apache.org; run by ezmlm
Precedence: bulk
Reply-To: "Tomcat Developers List" <tomcat-dev@jakarta.apache.org>
Message-ID: <1033017304.3d9297d881663@imp.rexursive.com>
Date: Thu, 26 Sep 2002 15:15:04 +1000
From: Bojan Smojver <bojan@rexursive.com>
To: Tomcat Developers List <tomcat-dev@jakarta.apache.org>
Subject: RE: [SECURITY] Apache Tomcat 4.x JSP source disclosure vulnerability
References: <00ac01c26482$912ee190$890210ac@jtrollingerxp>
 <1032990872.1205.52.camel@beast.rexursive.com> <amtdb9$to$1@main.gmane.org>
 <1033003365.3d92616553032@imp.rexursive.com> <amu1pv$eeu$1@main.gmane.org>
In-Reply-To: <amu1pv$eeu$1@main.gmane.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
User-Agent: Internet Messaging Program (IMP) 3.1

Quoting Costin Manolache <cmanolache@yahoo.com>:

> Bojan Smojver wrote:
> 
> > All right then, let's talk about JSP's. If I host my clients' JSP's on my
> > server and a web designer puts this in (BTW, he wasn't forced, he simply
> > decided he wanted to do it):
> 
> And your proposed solution is ... ? 

Don't use JSP's. I think that was very clear from the beginning of this thread.

> Do you have a patch to solve this problem ? If so, send the code. IF
> not - please let me know what's your point here ? Do you think we're stupid
> and never heard about denial of service ? 

No, I don't think that anyone here is stupid - how did you get that idea? And I
don't have a patch. I don't think anyone has. Furthermore, since this is not my
itch any more, why would I scratch?

Also I don't think that malicious people can be prevented from causing problems
if they really want to. But, if you make it easy for it to happen by accident to
the people that don't really understand what they're doing, that's asking for
trouble (e.g. how many web designer really understand the concept of session
beans?). My point is this - JSP makes it dead easy to not write MVC applications
and to fiddle with Java code where you shouldn't. Jon explained it here:
http://jakarta.apache.org/velocity/ymtd/ymtd.html. Bottom line: let designers
design and let programmers program.

> BTW, velocity _is_ a programming language - at least by the book definition,
> AFAIK it is turing complete. Some things are more difficult to do, but
> not impossible - you can see it as a benefit, I see it as a major lack
> of flexibility.

Actually, I think even Velocity can do too much. An even better template
language (or whatever you want to name it - don't really care) wouldn't allow
method calls etc. But that's a different story altogether...

> So if you want to discuss solutions for this problem - I'm sure it'll
> help other templating and programming tools as well, including velocity
> ( which BTW can be a nice tool - and the lack of flexibility can be
> good in some cases ).  
> 
> I don't know what to do about your web designer - who doesn't know 
> programming but decides to write some DOS code in his page. But I know
> that the best web applications I've used so far ( including some in
> php or perl ) were written by people who know a lot of programming. 
> You need software engineers, useability engineers - not web designers
> who are clueless on programming ( and can't be trusted to not write
> DOS just for fun ).

I'm not talking about my web designer, I'm talking about my clients' web
designers. I cannot fire my clients' employees. I also don't have any influence
over what they do and don't know, how qualified they are and if they care.
Again, the point is - why give people power (that they don't need anyway) and
hope nothing bad will happen?

Bojan

-------------------------------------------------
This mail sent through IMP: http://horde.org/imp/

--
To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>