DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUGĀ· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=37480>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED ANDĀ· INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=37480 [EMAIL PROTECTED] changed: What |Removed |Added ---------------------------------------------------------------------------- Component|Catalina |Webapps:Examples ------- Additional Comments From [EMAIL PROTECTED] 2005-11-12 23:16 ------- Apart from the example webapp, all code paths listed in this report that exhibit this issue require that debug level logging is enabled. Whether or not to encode debug level log messages is a trade off between a low risk vulnerability - difficult to attack without being spotted(1) and a low impact(2) - and the risk of causing developer issues when reading debug messages as well as adding complexity to the logging code. Having debugged a fair number of i18n issues in Tomcat, I'd much rather have un-encoded log output. (1) You don't know which debug logging is turned on where and at what level, the message may get logged by multiple components with different message formats, you need to get the timestamp right etc (2) Could be used to disguise another attack but in itself does not actually do any harm. Therefore, I am changing the component for this issue to the examples webapp. -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
