[
http://www.stripesframework.org/jira/browse/STS-670?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Ben Gunter resolved STS-670.
----------------------------
Resolution: Fixed
Added a warning.
> configuration reference does not warn user to never turn on debugmode on
> production developments
> ------------------------------------------------------------------------------------------------
>
> Key: STS-670
> URL: http://www.stripesframework.org/jira/browse/STS-670
> Project: Stripes
> Issue Type: Bug
> Components: Documentation
> Affects Versions: Release 1.5, Release 1.5.1
> Reporter: Ward van Wanrooij
>
> The configuration reference
> (http://www.stripesframework.org/display/stripes/Configuration+Reference)
> does not warn the user with the risks associated to turning on Stripes.Debug.
> Turning on that parameter exposes the webapplication to e.g. returning the
> web.xml file, potentially containing database passwords etc (when having a
> LoginActionBean class, a login resolution and two required parameters
> (username, password) the URL Login.action?login=&_sourcePage=/WEB-INF/web.xml
> returns web.xml)
> Although not a best practice to turn on debugging on a production
> environemnt, I think the developer should at least be warned that this
> creates a security hole.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://www.stripesframework.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
------------------------------------------------------------------------------
_______________________________________________
Stripes-development mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/stripes-development
