svn commit: r1926211 - in /tomcat/site/trunk: docs/security-model.html xdocs/security-model.xml

[markt]

Author: markt
Date: Sat Jun  7 08:43:02 2025
New Revision: 1926211

URL: http://svn.apache.org/viewvc?rev=1926211&view=rev
Log:
Clarify requirements for writable web apps

Modified:
    tomcat/site/trunk/docs/security-model.html
    tomcat/site/trunk/xdocs/security-model.xml

Modified: tomcat/site/trunk/docs/security-model.html
URL: 
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-model.html?rev=1926211&r1=1926210&r2=1926211&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-model.html (original)
+++ tomcat/site/trunk/docs/security-model.html Sat Jun  7 08:43:02 2025
@@ -38,6 +38,11 @@
          Vulnerabilities in user-provided web applications are application
          vulnerabilities, not Tomcat vulnerabilities.</p>
 
+      <p>Web applications that enable functionality that allows the 
modification
+         of the web application (e.g. WebDAV, HTTP PUT requests or similar) are
+         expected to take steps to secure that functionality. Failure to do so
+         is an application vulnerability, not a Tomcat vulnerability.</p>
+
       <p>Reports of vulnerabilities in the web applications included with
          standard Tomcat distributions from the ASF will be accepted. Reporters
          should review the comments about each of the provided applications in

Modified: tomcat/site/trunk/xdocs/security-model.xml
URL: 
http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-model.xml?rev=1926211&r1=1926210&r2=1926211&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-model.xml (original)
+++ tomcat/site/trunk/xdocs/security-model.xml Sat Jun  7 08:43:02 2025
@@ -46,6 +46,11 @@
          Vulnerabilities in user-provided web applications are application
          vulnerabilities, not Tomcat vulnerabilities.</p>
 
+      <p>Web applications that enable functionality that allows the 
modification
+         of the web application (e.g. WebDAV, HTTP PUT requests or similar) are
+         expected to take steps to secure that functionality. Failure to do so
+         is an application vulnerability, not a Tomcat vulnerability.</p>
+
       <p>Reports of vulnerabilities in the web applications included with
          standard Tomcat distributions from the ASF will be accepted. Reporters
          should review the comments about each of the provided applications in



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org