tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bob Herrmann <...@jadn.com>
Subject Re: [Proposal] Security Audit
Date Wed, 09 Oct 2002 15:57:58 GMT

I can't think of anything more boring and tedious (bug fixing?) but I am
willing to help.  Maybe we should divide up the classes.  

Cheers,
-bob

On Tue, 2002-10-08 at 16:36, Jean-Francois Arcand wrote:
> Hi,
> 
> I'm looking to do a Security Audit on the current Tomcat 5.0 codebase. I 
> would like to collect as more as information as where you think I should 
> look at (code, security hole, etc.). I'm planning to do the audit using 
> the default SecurityManager. Rigth now, I have started looking at:
> 
> - doPrivilege blocks. Are they small enough? Can they be reduced?
> - JSP generated code. Are they secure? Can a malicious app uses the code 
> to access o.a.catalina code?
> - Is catalina.policy restricted enough?
> - Is our Classloader secure?
> 
> Any direction/ideas/recommendations will be appreciated.
> 
> Thanks,
> 
> -- Jeanfrancois
> 
> 
> --
> To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
> For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>
-- 
Bob Herrmann <bob@jadn.com>


--
To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>


Mime
View raw message