https://bz.apache.org/bugzilla/show_bug.cgi?id=69486
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |WONTFIX
Status|NEW |RESOLVED
--- Comment #11 from Mark Thomas <ma...@apache.org> ---
The DBCP comparison is not valid. There are external factors that may
invalidate a database connection that the connection pool cannot detect unless
it tests the connection. There are tradeoffs for when it is best to perform
that test and DBCP provides a range of options to enabled applications to
select the strategy that works best for them.
This proposal might protect against some Tomcat bugs in some circumstances but
at the price of a performance penalty for every single request. I might be
convinced that such a trade-off was worth making if it guaranteed that it would
eliminate a class of bugs but it can't. CVE-2024-21733 being a case in point.
I'm not convinced that is a trade-off that is reasonable and I am not seeing
any other committers think it is either.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
