configuration reference does not warn user to never turn on debugmode on
production developments
------------------------------------------------------------------------------------------------
Key: STS-670
URL: http://www.stripesframework.org/jira/browse/STS-670
Project: Stripes
Issue Type: Bug
Components: Documentation
Affects Versions: Release 1.5.1, Release 1.5
Reporter: Ward van Wanrooij
The configuration reference
(http://www.stripesframework.org/display/stripes/Configuration+Reference) does
not warn the user with the risks associated to turning on Stripes.Debug.
Turning on that parameter exposes the webapplication to e.g. returning the
web.xml file, potentially containing database passwords etc (when having a
LoginActionBean class, a login resolution and two required parameters
(username, password) the URL Login.action?login=&_sourcePage=/WEB-INF/web.xml
returns web.xml)
Although not a best practice to turn on debugging on a production environemnt,
I think the developer should at least be warned that this creates a security
hole.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://www.stripesframework.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
------------------------------------------------------------------------------
Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are
powering Web 2.0 with engaging, cross-platform capabilities. Quickly and
easily build your RIAs with Flex Builder, the Eclipse(TM)based development
software that enables intelligent coding and step-through debugging.
Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com
_______________________________________________
Stripes-development mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/stripes-development
