https://bz.apache.org/bugzilla/show_bug.cgi?id=64009
Bug ID: 64009
Summary: Embedded Tomcat has insecure default by activating
JspServlet without opt-in
Product: Tomcat 8
Version: 8.5.50
Hardware: PC
OS: Windows NT
Status: NEW
Severity: normal
Priority: P2
Component: Catalina
Assignee: dev@tomcat.apache.org
Reporter: emergency.sho...@gmail.com
Target Milestone: ----
By default, and under certain circumstances (see
https://bz.apache.org/bugzilla/show_bug.cgi?id=64008), embedded Tomcat
automatically adds the JspServlet and servlet mappings for it to web apps.
>From a security point of view this behaviour leads to an increased
vulnerability surface without user opt-in. It should therefore probably be
avoided.
Currently we are using a patched version of embedded Tomcat that does not
inject the JspServlet programmatically, but this does not seem to be a good
long-term perspective.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
