You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2019/12/17 10:10:42 UTC
[Bug 64009] New: Embedded Tomcat has insecure default by activating
JspServlet without opt-in
https://bz.apache.org/bugzilla/show_bug.cgi?id=64009
Bug ID: 64009
Summary: Embedded Tomcat has insecure default by activating
JspServlet without opt-in
Product: Tomcat 8
Version: 8.5.50
Hardware: PC
OS: Windows NT
Status: NEW
Severity: normal
Priority: P2
Component: Catalina
Assignee: dev@tomcat.apache.org
Reporter: emergency.shower@gmail.com
Target Milestone: ----
By default, and under certain circumstances (see
https://bz.apache.org/bugzilla/show_bug.cgi?id=64008), embedded Tomcat
automatically adds the JspServlet and servlet mappings for it to web apps.
From a security point of view this behaviour leads to an increased
vulnerability surface without user opt-in. It should therefore probably be
avoided.
Currently we are using a patched version of embedded Tomcat that does not
inject the JspServlet programmatically, but this does not seem to be a good
long-term perspective.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 64009] Embedded Tomcat has insecure default by activating
JspServlet without opt-in
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=64009
Remy Maucherat <re...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |DUPLICATE
--- Comment #1 from Remy Maucherat <re...@apache.org> ---
*** This bug has been marked as a duplicate of bug 64008 ***
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 64009] Embedded Tomcat has insecure default by activating
JspServlet without opt-in
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=64009
--- Comment #2 from emergency.shower@gmail.com ---
I don't think that this is a duplicate of 64008.
This issue is about insecure defaults. 64008 is about how difficult (if not
impossible) it is to prevent from having these insecure defaults applied.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 64009] Embedded Tomcat has insecure default by activating
JspServlet without opt-in
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=64009
--- Comment #3 from Remy Maucherat <re...@apache.org> ---
Please use the appropriate mailing list for discussion: security for security
related discussions, user for details and investigation on how to use Tomcat.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org