tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 38128] - directory listings DoS
Date Mon, 25 Dec 2006 01:38:36 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=38128>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=38128


yoavs@computer.org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |WONTFIX




------- Additional Comments From yoavs@computer.org  2006-12-24 17:38 -------
There are a few things I dislike in this patch.

You shouldn't catch Throwables and then silently not handle them.  You shouldn't
even do that with Exceptions, but certainly not Throwables.  That by itself
means -1 on the patch as it stands currently.

Then there's the overall weight of the solution: adding a custom cache and tying
it into the default web.xml just for this case seems overweight.  I wonder if
there's an easier solution without caching, and certainly without a time-based
cache which means additional background processing.  One approach that comes to
mind is a no-op XSLT for customizations, as documented in
http://tomcat.apache.org/tomcat-5.0-doc/default-servlet.html#dir

Finally, as you probably know directory listings are easy to disable: see
http://marc.theaimsgroup.com/?l=tomcat-user&m=105525007220640&w=2 for example of
the one setting change required.  For others concerned about this DoS (and I
don't think there are any, seeing as how no one else has opined on this issue
and/or posted such a DoS on the mailing lists), they can simply disable
directory listings.

Because of these, I'm going to mark this particular patch as WONTFIX.  If
someone else wants strongly feels this patch should be applied as-is, they can
say so here.  Otherwise, maybe a more lightweight patch can be attached to the
issue (and the issue itself reopened), that is if anyone still cares.

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message