I think that setting is quite benign. The change was not in response to any security hole, but just for strict compliance to the JSP spec.
Cheerio, Michael Johnston [EMAIL PROTECTED] On 10-Sep-08, at 5:39 PM, Kim Cary wrote: > Scott, > > Read your workaround, hair went up on the back of my security-guy neck > (sorry, strict=false gives me that reaction ;-), installed your > workaround on dev, it worked, bug filed. I hope it was filed with all > necessary info to make it useful. > > THANKS for the tip! > > Best, > Kim > > On Sep 10, 2008, at 4:36 PM, [EMAIL PROTECTED] wrote: > >> Date: Wed, 10 Sep 2008 15:47:51 -0400 >> From: "Scott Battaglia" <[EMAIL PROTECTED]> >> Subject: Re: No really, the demo cas 3.3 app gives an error... >> To: "Yale CAS mailing list" <[email protected]> >> Message-ID: >> <[EMAIL PROTECTED]> >> Content-Type: text/plain; charset="iso-8859-1" >> >> I tracked down what the problem is (it also affects the latest >> versions of >> Tomcat 5.5). Apparently Tomcat changed the way they handle quotation >> marks >> in JSP pages to use strict checking: >> https://issues.apache.org/bugzilla/show_bug.cgi?id=45015 >> >> As a temporary fix you can set the JAVA_OPTS to something like this: >> export >> JAVA_OPTS="- >> Dorg.apache.jasper.compiler.Parser.STRICT_QUOTE_ESCAPING=false" >> and then startup Tomcat and it should work. >> >> If you could file a bug report for this also, that would be great. >> This is >> like the third time Tomcat has changed something on us that used to >> work... >> >> Thanks >> -Scott >> >> -Scott Battaglia >> PGP Public Key Id: 0x383733AA >> LinkedIn: http://www.linkedin.com/in/scottbattaglia > > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
