Return-Path: Delivered-To: apmail-tomcat-dev-archive@www.apache.org Received: (qmail 26577 invoked from network); 12 Nov 2005 22:17:27 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 12 Nov 2005 22:17:26 -0000 Received: (qmail 13515 invoked by uid 500); 12 Nov 2005 22:17:22 -0000 Delivered-To: apmail-tomcat-dev-archive@tomcat.apache.org Received: (qmail 13480 invoked by uid 500); 12 Nov 2005 22:17:21 -0000 Mailing-List: contact dev-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Developers List" Delivered-To: mailing list dev@tomcat.apache.org Received: (qmail 13469 invoked by uid 500); 12 Nov 2005 22:17:21 -0000 Delivered-To: apmail-jakarta-tomcat-dev@jakarta.apache.org Received: (qmail 13466 invoked by uid 99); 12 Nov 2005 22:17:21 -0000 X-ASF-Spam-Status: No, hits=0.6 required=10.0 tests=NO_REAL_NAME X-Spam-Check-By: apache.org Received: from [192.87.106.226] (HELO ajax.apache.org) (192.87.106.226) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 12 Nov 2005 14:17:21 -0800 Received: by ajax.apache.org (Postfix, from userid 99) id 7536FDE; Sat, 12 Nov 2005 23:17:00 +0100 (CET) From: bugzilla@apache.org To: tomcat-dev@jakarta.apache.org Subject: DO NOT REPLY [Bug 37480] - Log forging possible X-Bugzilla-Reason: AssignedTo Message-Id: <20051112221700.7536FDE@ajax.apache.org> Date: Sat, 12 Nov 2005 23:17:00 +0100 (CET) X-Virus-Checked: Checked by ClamAV on apache.org X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG� RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT . ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND� INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=37480 markt@apache.org changed: What |Removed |Added ---------------------------------------------------------------------------- Component|Catalina |Webapps:Examples ------- Additional Comments From markt@apache.org 2005-11-12 23:16 ------- Apart from the example webapp, all code paths listed in this report that exhibit this issue require that debug level logging is enabled. Whether or not to encode debug level log messages is a trade off between a low risk vulnerability - difficult to attack without being spotted(1) and a low impact(2) - and the risk of causing developer issues when reading debug messages as well as adding complexity to the logging code. Having debugged a fair number of i18n issues in Tomcat, I'd much rather have un-encoded log output. (1) You don't know which debug logging is turned on where and at what level, the message may get logged by multiple components with different message formats, you need to get the timestamp right etc (2) Could be used to disguise another attack but in itself does not actually do any harm. Therefore, I am changing the component for this issue to the examples webapp. -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org For additional commands, e-mail: dev-help@tomcat.apache.org