tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From kazukin6 <coolwh...@mail.ru>
Subject Re: Disable java code execution <%blabla%> in jsp, but permits tags
Date Thu, 11 Sep 2008 12:54:22 GMT

Hi Juha!

Yes, I did, but it's kinda hard for me to estimate all possible threats and
the Tomcat's ability to provide the defence

I suppose it should be
1) No thread creation
2) No IO operations
3) No any "direct" System API invokations, only JAVA API -(cause it can lead
to undesired consequences), and what about changing some crutial standard
java  properties, like system encoding?
4) No any "fake" operations to load the processor, like while(true){do
something useless}
5) -?

2) and maybe 3) are implementable, I suppose, but I'm not sure about 1) 4)
and 5)


Juha Laiho wrote:
> 
> kazukin6 wrote:
>> Is it possible to disable all java code execution within jsp page (by
>> security manager or something)
>> but allow custom tags to be executed?
>> 
>> The problem is that the users can change jsp files, and due to security
>> reasons we can allow them to use only tags 
> 
> Unfortunately I don't have an idea on how to prevent Java snippets
> in JSPs, but have you considered whether using Java security manager
> would be enough to defend you against the estimated threats?
> -- 
> ..Juha
> 
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
> 
> 

-- 
View this message in context: http://www.nabble.com/Disable-java-code-execution-%3C-blabla-%3E-in-jsp%2C-but-permits-tags-tp19415053p19434137.html
Sent from the Tomcat - User mailing list archive at Nabble.com.


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message