tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Yoav Shapira <yo...@apache.org>
Subject Re: DO NOT REPLY [Bug 37150] - denial of service on many and long requests on v5.5.x
Date Wed, 09 Nov 2005 00:46:52 GMT
Hi,
I think turning them on is already in the FAQ, thankfully ;)

Maybe we'll do a 5.5.13 release next week?

Yoav

--- Tim Funk <funkman@joedog.org> wrote:

> Turning off directory listings by default is a good security practice. I only
> 
> wait for the all the tomcat user questions of how to turn it on instead of
> off ;)
> 
> -Tim
> 
> Mark Thomas wrote:
> 
> >> ------- Additional Comments From remm@apache.org  2005-11-08 23:45 
> >> -------
> >> (In reply to comment #5)
> >> The abstraction layer will make directory listings expensive (actually,
> >> directory listings in Java are going to be expensive regardless), so I 
> >> don't see
> >> how this can be optimized.
> > 
> > 
> > Looking at the profiler output, I agree that this will always be slow. 
> > Closer inspection shows that at best I could reduce the time spent 
> > generating the listing by about a third. Not enough to make a major 
> > difference to this case.
> > 
> > Therefore, a warning in the docs is called for. Something like:
> > "Directory listings of directories containing many entries is an 
> > expensive process. Multiple requests for large directory listings can 
> > consume significant proportions of server resources. Use this option 
> > with caution."
> > 
> > The only remaining question is whether we turn directory listings off by 
> > default. Thoughts?
> > 
> > Mark
> > 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
> 
> 


Yoav Shapira
System Design and Management Fellow
MIT Sloan School of Management
Cambridge, MA, USA
yoavs@computer.org / www.yoavshapira.com

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message