Re: [OT] Re: [SECURITY] Apache Tomcat 4.x JSP source disclosure vulnerability

2002-09-25 Thread Costin Manolache 

Bojan Smojver wrote:

> Quoting Bill Barker <[EMAIL PROTECTED]>:
> 
>> I'm agreeing with Costin.  Please move this discussion to
>> [EMAIL PROTECTED]  It is off-topic here.
> 
> Promise not to write a single byte on this topic on Tomcat-Dev list after
> this e-mail.

Please don't missunderstand this - I have nothing against velocity, it 
is a nice tool ( I like the introspection/bean EL - I hope the jsp el
will be close and I'm following the developments in commons ).
There are many cases where its simplicity is a benefit, and 
for standalone use jsp can't be used. 

The problem is - this list is for servlet and jsp development.
 
And I personally don't like the idea of treating the users
( web developers or not ) as stupid that shouln't have powerfull
tools because they may do bad things.

If you feel a need to convert people to velocity - I sugest you
subscribe to Perl and PHP mailing lists ( and maybe ASP ? ). Maybe
they'll apreciate this kind of arguments :-)


Costin


> 
> Bojan
> 
> -
> This mail sent through IMP: http://horde.org/imp/

-- 
Costin



--
To unsubscribe, e-mail:   
For additional commands, e-mail:

Re: [OT] Re: [SECURITY] Apache Tomcat 4.x JSP source disclosure vulnerability

2002-09-25 Thread Bojan Smojver 

Quoting Bill Barker <[EMAIL PROTECTED]>:

> I'm agreeing with Costin.  Please move this discussion to
> [EMAIL PROTECTED]  It is off-topic here.

Promise not to write a single byte on this topic on Tomcat-Dev list after this
e-mail.

Bojan

-
This mail sent through IMP: http://horde.org/imp/

--
To unsubscribe, e-mail:   
For additional commands, e-mail:

[OT] Re: [SECURITY] Apache Tomcat 4.x JSP source disclosure vulnerability

2002-09-25 Thread Bill Barker 

I'm agreeing with Costin.  Please move this discussion to
[EMAIL PROTECTED]  It is off-topic here.

- Original Message -
From: "Bojan Smojver" <[EMAIL PROTECTED]>
To: "Tomcat Developers List" <[EMAIL PROTECTED]>
Sent: Wednesday, September 25, 2002 7:33 PM
Subject: Re: [SECURITY] Apache Tomcat 4.x JSP source disclosure
vulnerability


> Not if:
>
> runtime.interpolate.string.literals = false
>
> Bojan
>
> Quoting Tim Funk <[EMAIL PROTECTED]>:
>
> > That's what code reviews are for and in absence of that - firing your
> > developers.
> >
> > Wouldn't I also get an out of memory with this in Velocity?
> >
> > #set($oom = "" )
> > #foreach( $i in [-2147483648..2147483648] )
> > #set($oom = "$oom$oom$oom$oom$oom$oom$oom$oom$oom$oom$oom$oom$oom$oom" )
> > #end
> >
> > Bad code can kill ANY system for the determined(disgruntled) developer.
> >
> >
> > Bojan Smojver wrote:
> > > All right then, let's talk about JSP's. If I host my clients' JSP's on
my
> > server
> > > and a web designer puts this in (BTW, he wasn't forced, he simply
decided
> > he
> > > wanted to do it):
> > >
> > > ---
> > > Hashtable strings = new Hashtable();
> > > int i=0;
> > > while (true)
> > > {
> > > strings.put ("dead"+i, new StringBuffer(99));
> > > }
> > > ---
> > >
> >
> >
> > --
> > To unsubscribe, e-mail:

> > For additional commands, e-mail:

> >
> >
>
>
>
>
> -
> This mail sent through IMP: http://horde.org/imp/
>
> --
> To unsubscribe, e-mail:

> For additional commands, e-mail:

>


--
To unsubscribe, e-mail:   
For additional commands, e-mail: