tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <wr...@rowe-clan.net>
Subject Re: Removing the examples (JSP/servlet) in TC Binaries
Date Mon, 09 Jul 2007 16:54:22 GMT
Rainer Jung wrote:
> I'm not sure. They provide an easy entry point for people using Tomcat
> because it is so simple to just use them. There are a couple of choices:
> 
> - leave the examples in the download and take their security serious.
> This is what we do now.

good choice...

> - leave the examples in the download, but don't bother about their
> security, as long as they don't compromise the container security (e.g.
> don't bother about XSS issues for the example webapps).

good choice, *if* you set up only a localhost endpoint and clearly document
that the examples are only that, and open to XSS and other issues.
Actually...

> - move the examples into a separate directory, so that they are not
> active by default. Add a note about how to activate them. Also a better
> production setup, but we'll get a lot of questions, why the examples do
> not work.

I guess thats what I was thinking of above.

> I think the real question is, should we still take security serious for
> the example webapps. If no, then we should decide, which way we disable
> them. I don't have a very strong opinion, because I don't feel fine by
> delivering insecure example webapps, even if they are disabled. How
> should people be made aware of security in webapps, if even our example
> webapps are unsafe.

The arguement is that some authors start with the examples.  If they are
riddled with XSS exploits, their derivative code will also be abusable.

It's nice if *someone* provides good reference examples; consider the mess
in PHP development-by-example that's left the web in a half-usable state.

Bill

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message