DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=15417>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=15417 jsp_precompile seems like a possible DOS vulnerability [EMAIL PROTECTED] changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |INVALID ------- Additional Comments From [EMAIL PROTECTED] 2002-12-16 22:33 ------- A request to a page with jsp_precompile option is just like the request without the option, except that the request is not delivered, i.e. http://foo.bar.jsp?pre_compile is not more expensive that http://foo.bar.jsp. The compilation is done only once, and if the JSP page has been compiled, the compilation won't happen. Therefore I fail to see how this can be used as a DOS attack. A production application should precompile all JSP pages, and that will reduce jsp_precompile to a nop. A more useful server option is probably one that tells it that the JSP pages in an application have been precompiled, and that it should not have to check for the time stamps for the pages and their servlet files. This might improve the performance of the pages somewhat. -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
