You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by GitBox <gi...@apache.org> on 2022/04/14 03:28:18 UTC

[GitHub] [tomcat] k4n5ha0 opened a new pull request, #504: disable jsp and jspx by default

k4n5ha0 opened a new pull request, #504:
URL: https://github.com/apache/tomcat/pull/504

   jsp and jspx is dangerous. likes spring4shell and others hacker,they use uplaod jsp or write a webshell to disk.
   If project need jsp or jspx, they pack web.xml in war with jsp mappings by themself.
   secure by default.
   thx!


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[GitHub] [tomcat] markt-asf closed pull request #504: disable jsp and jspx by default

Posted by GitBox <gi...@apache.org>.

markt-asf closed pull request #504: disable jsp and jspx by default
URL: https://github.com/apache/tomcat/pull/504


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[GitHub] [tomcat] markt-asf commented on pull request #504: disable jsp and jspx by default

Posted by GitBox <gi...@apache.org>.

markt-asf commented on PR #504:
URL: https://github.com/apache/tomcat/pull/504#issuecomment-1098727906

   This is a bad idea for so many different reasons. To name a few:
   
   - "Spring4Shell" allows arbitrary file uploads. All an attacker has to do to bypass this change is to upload a web.xml file that re-enables the mapping
   - It does nothing to help users that want/need to use JSPs.
   - Users that had followed the documented security recommendations and set OS file permissions appropriately would have been protected not only against "Spring4Shell"but against any similar vulnerability as well


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org