markt-asf commented on PR #504: URL: https://github.com/apache/tomcat/pull/504#issuecomment-1098727906
This is a bad idea for so many different reasons. To name a few: - "Spring4Shell" allows arbitrary file uploads. All an attacker has to do to bypass this change is to upload a web.xml file that re-enables the mapping - It does nothing to help users that want/need to use JSPs. - Users that had followed the documented security recommendations and set OS file permissions appropriately would have been protected not only against "Spring4Shell"but against any similar vulnerability as well -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org