https://bz.apache.org/bugzilla/show_bug.cgi?id=62844
--- Comment #7 from Mark Thomas <ma...@apache.org> --- Speaking as a member of both the Tomcat and ASF security teams: I whole-heartedly endorse everything Rémy said in comment #3. There is no vulnerability here. By design, the CGI servlet executes what it is told to. That is entirely under the application developers control. It is irrelevant what file extensions the developer has chosen to give to the files the developer has configured the CGI Servlet to execute. Separately, if an application developer is foolish enough to allow the uploading of arbitrary files from untrusted users to a location that permits them to be executed then that would be an application vulnerability, not a Tomcat vulnerability. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
