Author: markt
Date: Fri Sep 6 07:49:48 2024
New Revision: 1920493
URL: http://svn.apache.org/viewvc?rev=1920493&view=rev
Log:
Updates after kkolinko's review
Modified:
tomcat/site/trunk/docs/security-model.html
tomcat/site/trunk/xdocs/security-model.xml
Modified: tomcat/site/trunk/docs/security-model.html
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-model.html?rev=1920493&r1=1920492&r2=1920493&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-model.html (original)
+++ tomcat/site/trunk/docs/security-model.html Fri Sep 6 07:49:48 2024
@@ -17,9 +17,13 @@
any of the following will be rejected:</p>
<ul>
- <li>The Manager or Host Manager web applications provided with
Tomcat.</li>
- <li>Tomcat configuration files.</li>
<li>Tomcat binaries and/or scripts.</li>
+ <li>Tomcat configuration files.</li>
+ <li>Tomcat log files.</li>
+ <li>The temp directory (by default
<code>$CATALINA_BASE/temp</code>)</li>
+ <li>Web application working directories (by default
+ <code>$CATALINA_BASE/work</code>)</li>
+ <li>The Manager or Host Manager web applications provided with
Tomcat.</li>
<li>The JMX API (local or remote).</li>
<li>The Java Attach API or any other debugging interface.</li>
</ul>
@@ -47,17 +51,22 @@
<div class="subsection"><h4 id="Connectors">Connectors</h4><div
class="text">
<p>Data received via a Connector, regardless of protocol, is considered
to
- be untrusted apart from:</p>
+ be untrusted with the exception of:</p>
<ul>
<li>The standard request attributes and any arbitrary request
attributes
permitted by <code>allowedRequestAttributesPattern</code> for an
AJP
connector.</li>
<li>HTTP headers processed by a <code>RemoteIpValve</code>,
- <code>SSLValve</code>, equivalent filters
(<code>RemoteIpFilter</code>)
- or any similar functionality.</li>
+ <code>SSLValve</code>, equivalent filters
+ (<code>RemoteIpFilter</code>) or any similar functionality.</li>
</ul>
+ <p>Clients are responsible for the consequences of the data they present
+ to Tomcat. If a client presents a malformed request that Tomcat
+ processes as per the specification for configured protocol, then any
+ security impact to the client is the client's responsibility.</p>
+
</div></div>
<div class="subsection"><h4 id="Clustering">Clustering</h4><div
class="text">
@@ -78,6 +87,12 @@
<p>Security-sensitive information may be logged with modified logging
configurations, particularly if debug logging is enabled.</p>
+ <p>The default logs are likely to contain personally identifiable
+ information (PII) such as the IP address of users.</p>
+
+ <p>Tomcat is not responsible for the content of log messages generated by
+ applications.</p>
+
</div></div>
</div></div></div></div></main><footer id="footer">
Modified: tomcat/site/trunk/xdocs/security-model.xml
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-model.xml?rev=1920493&r1=1920492&r2=1920493&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-model.xml (original)
+++ tomcat/site/trunk/xdocs/security-model.xml Fri Sep 6 07:49:48 2024
@@ -25,9 +25,13 @@
any of the following will be rejected:</p>
<ul>
- <li>The Manager or Host Manager web applications provided with
Tomcat.</li>
- <li>Tomcat configuration files.</li>
<li>Tomcat binaries and/or scripts.</li>
+ <li>Tomcat configuration files.</li>
+ <li>Tomcat log files.</li>
+ <li>The temp directory (by default
<code>$CATALINA_BASE/temp</code>)</li>
+ <li>Web application working directories (by default
+ <code>$CATALINA_BASE/work</code>)</li>
+ <li>The Manager or Host Manager web applications provided with
Tomcat.</li>
<li>The JMX API (local or remote).</li>
<li>The Java Attach API or any other debugging interface.</li>
</ul>
@@ -55,17 +59,22 @@
<subsection name="Connectors">
<p>Data received via a Connector, regardless of protocol, is considered
to
- be untrusted apart from:</p>
+ be untrusted with the exception of:</p>
<ul>
<li>The standard request attributes and any arbitrary request
attributes
permitted by <code>allowedRequestAttributesPattern</code> for an
AJP
connector.</li>
<li>HTTP headers processed by a <code>RemoteIpValve</code>,
- <code>SSLValve</code>, equivalent filters
(<code>RemoteIpFilter</code>)
- or any similar functionality.</li>
+ <code>SSLValve</code>, equivalent filters
+ (<code>RemoteIpFilter</code>) or any similar functionality.</li>
</ul>
+ <p>Clients are responsible for the consequences of the data they present
+ to Tomcat. If a client presents a malformed request that Tomcat
+ processes as per the specification for configured protocol, then any
+ security impact to the client is the client's responsibility.</p>
+
</subsection>
<subsection name="Clustering">
@@ -86,10 +95,15 @@
<p>Security-sensitive information may be logged with modified logging
configurations, particularly if debug logging is enabled.</p>
+ <p>The default logs are likely to contain personally identifiable
+ information (PII) such as the IP address of users.</p>
+
+ <p>Tomcat is not responsible for the content of log messages generated by
+ applications.</p>
+
</subsection>
</section>
</body>
</document>
-
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
