You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by ma...@apache.org on 2015/11/12 11:48:46 UTC

svn commit: r1714012 - /tomcat/trunk/webapps/docs/security-howto.xml

Author: markt
Date: Thu Nov 12 10:48:45 2015
New Revision: 1714012

URL: http://svn.apache.org/viewvc?rev=1714012&view=rev
Log:
Add info on CGI debug page

Modified:
    tomcat/trunk/webapps/docs/security-howto.xml

Modified: tomcat/trunk/webapps/docs/security-howto.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/security-howto.xml?rev=1714012&r1=1714011&r2=1714012&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/security-howto.xml (original)
+++ tomcat/trunk/webapps/docs/security-howto.xml Thu Nov 12 10:48:45 2015
@@ -469,6 +469,10 @@
     script will still report the version number.
     </p>
 
+    <p>The CGI Servlet is disabled by default. If enabled, the debug
+    initialisation parameter should not be set to <code>10</code> or higher on a
+    production system because the debug page is not secure.</p>
+ 
     <p><a href="config/filter.html">FailedRequestFilter</a>
     can be configured and used to reject requests that had errors during
     request parameter parsing. Without the filter the default behaviour is



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org