You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2015/11/12 11:48:46 UTC
svn commit: r1714012 - /tomcat/trunk/webapps/docs/security-howto.xml
Author: markt
Date: Thu Nov 12 10:48:45 2015
New Revision: 1714012
URL: http://svn.apache.org/viewvc?rev=1714012&view=rev
Log:
Add info on CGI debug page
Modified:
tomcat/trunk/webapps/docs/security-howto.xml
Modified: tomcat/trunk/webapps/docs/security-howto.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/security-howto.xml?rev=1714012&r1=1714011&r2=1714012&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/security-howto.xml (original)
+++ tomcat/trunk/webapps/docs/security-howto.xml Thu Nov 12 10:48:45 2015
@@ -469,6 +469,10 @@
script will still report the version number.
</p>
+ <p>The CGI Servlet is disabled by default. If enabled, the debug
+ initialisation parameter should not be set to <code>10</code> or higher on a
+ production system because the debug page is not secure.</p>
+
<p><a href="config/filter.html">FailedRequestFilter</a>
can be configured and used to reject requests that had errors during
request parameter parsing. Without the filter the default behaviour is
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org