https://bz.apache.org/bugzilla/show_bug.cgi?id=69752
--- Comment #6 from Mark Thomas <ma...@apache.org> --- (In reply to Christopher Schultz from comment #5) > This seems like a reasonable "secure by default" hardening maneuver. Tomcat is already secure by default in this case. The default is "webapps". This would not be a secure by default change but a "secure when the administrator (who is meant to know what they are doing) provides an unsafe configuration" change. The logging of the deployed web applications should already be sufficient to bring this to the attention of the administrator. I remain concerned that taking specific action for this one foolish configuration would be the start of the slippery slope as there are many, many ways an administrator could shoot themselves in the foot. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
