Author: schultz
Date: Wed Aug 28 21:26:56 2024
New Revision: 1920257
URL: http://svn.apache.org/viewvc?rev=1920257&view=rev
Log:
Minor edits.
Modified:
tomcat/site/trunk/docs/security-model.html
tomcat/site/trunk/xdocs/security-model.xml
Modified: tomcat/site/trunk/docs/security-model.html
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-model.html?rev=1920257&r1=1920256&r2=1920257&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-model.html (original)
+++ tomcat/site/trunk/docs/security-model.html Wed Aug 28 21:26:56 2024
@@ -12,9 +12,9 @@
<div class="subsection"><h4 id="Administrative_users">Administrative
users</h4><div class="text">
- <p>Administrative users are always considered to be trusted. Reports that
- require attacker access to and/or control of any of the following to
- succeed will be rejected:</p>
+ <p>Administrative users are always considered to be trusted. Reports for
+ vulnerabilities where an attacker already has access to or control
over
+ any of the following will be rejected:</p>
<ul>
<li>The Manager or Host Manager applications provided with Tomcat</li>
@@ -29,13 +29,14 @@
<div class="subsection"><h4 id="Web_applications">Web
applications</h4><div class="text">
<p>Web applications deployed to Tomcat are considered to be trusted.
- Vulnerabilities in user provided web applications are application
+ Vulnerabilities in user-provided web applications are application
vulnerabilities, not Tomcat vulnerabilities.</p>
<p>Reports of vulnerabilities in the web applications included with
- Tomcat will be accepted. Reporters should review the comments about
- each of the provided applications in the security considerations
- section of the documentation for the version under test.</p>
+ standard Tomcat distributions will be accepted. Reporters should
+ review the comments about each of the provided applications in the
+ security considerations section of the documentation for the version
+ under test.</p>
</div></div>
@@ -50,7 +51,7 @@
connector</li>
<li>HTTP headers processed by a <code>RemoteIpValve</code>,
<code>SSLValve</code>, equivalent filters or any similar
- functionality.</li>
+ functionality</li>
</ul>
</div></div>
@@ -67,10 +68,10 @@
<div class="subsection"><h4 id="Logging">Logging</h4><div class="text">
- <p>Security sensitive information will not be logged with the default
+ <p>Security-sensitive information will not be logged with the default
configuration apart from anything included in the request URI.</p>
- <p>Security sensitive information may be logged with modified logging
+ <p>Security-sensitive information may be logged with modified logging
configurations, particularly if debug logging is enabled.</p>
</div></div>
Modified: tomcat/site/trunk/xdocs/security-model.xml
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-model.xml?rev=1920257&r1=1920256&r2=1920257&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-model.xml (original)
+++ tomcat/site/trunk/xdocs/security-model.xml Wed Aug 28 21:26:56 2024
@@ -20,9 +20,9 @@
<subsection name="Administrative users">
- <p>Administrative users are always considered to be trusted. Reports that
- require attacker access to and/or control of any of the following to
- succeed will be rejected:</p>
+ <p>Administrative users are always considered to be trusted. Reports for
+ vulnerabilities where an attacker already has access to or control
over
+ any of the following will be rejected:</p>
<ul>
<li>The Manager or Host Manager applications provided with Tomcat</li>
@@ -37,13 +37,14 @@
<subsection name="Web applications">
<p>Web applications deployed to Tomcat are considered to be trusted.
- Vulnerabilities in user provided web applications are application
+ Vulnerabilities in user-provided web applications are application
vulnerabilities, not Tomcat vulnerabilities.</p>
<p>Reports of vulnerabilities in the web applications included with
- Tomcat will be accepted. Reporters should review the comments about
- each of the provided applications in the security considerations
- section of the documentation for the version under test.</p>
+ standard Tomcat distributions will be accepted. Reporters should
+ review the comments about each of the provided applications in the
+ security considerations section of the documentation for the version
+ under test.</p>
</subsection>
@@ -58,7 +59,7 @@
connector</li>
<li>HTTP headers processed by a <code>RemoteIpValve</code>,
<code>SSLValve</code>, equivalent filters or any similar
- functionality.</li>
+ functionality</li>
</ul>
</subsection>
@@ -75,10 +76,10 @@
<subsection name="Logging">
- <p>Security sensitive information will not be logged with the default
+ <p>Security-sensitive information will not be logged with the default
configuration apart from anything included in the request URI.</p>
- <p>Security sensitive information may be logged with modified logging
+ <p>Security-sensitive information may be logged with modified logging
configurations, particularly if debug logging is enabled.</p>
</subsection>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
