I'm agreeing with Costin. Please move this discussion to
[EMAIL PROTECTED] It is off-topic here.
----- Original Message -----
From: "Bojan Smojver" <[EMAIL PROTECTED]>
To: "Tomcat Developers List" <[EMAIL PROTECTED]>
Sent: Wednesday, September 25, 2002 7:33 PM
Subject: Re: [SECURITY] Apache Tomcat 4.x JSP source disclosure
vulnerability
> Not if:
>
> runtime.interpolate.string.literals = false
>
> Bojan
>
> Quoting Tim Funk <[EMAIL PROTECTED]>:
>
> > That's what code reviews are for and in absence of that - firing your
> > developers.
> >
> > Wouldn't I also get an out of memory with this in Velocity?
> >
> > #set($oom = "0000000000000000000000000000000000000000000000000000" )
> > #foreach( $i in [-2147483648..2147483648] )
> > #set($oom = "$oom$oom$oom$oom$oom$oom$oom$oom$oom$oom$oom$oom$oom$oom" )
> > #end
> >
> > Bad code can kill ANY system for the determined(disgruntled) developer.
> >
> >
> > Bojan Smojver wrote:
> > > All right then, let's talk about JSP's. If I host my clients' JSP's on
my
> > server
> > > and a web designer puts this in (BTW, he wasn't forced, he simply
decided
> > he
> > > wanted to do it):
> > >
> > > -----------------------------------------------
> > > Hashtable strings = new Hashtable();
> > > int i=0;
> > > while (true)
> > > {
> > > strings.put ("dead"+i, new StringBuffer(999999));
> > > }
> > > -----------------------------------------------
> > >
> >
> >
> > --
> > To unsubscribe, e-mail:
<mailto:[EMAIL PROTECTED]>
> > For additional commands, e-mail:
<mailto:[EMAIL PROTECTED]>
> >
> >
>
>
>
>
> -------------------------------------------------
> This mail sent through IMP: http://horde.org/imp/
>
> --
> To unsubscribe, e-mail:
<mailto:[EMAIL PROTECTED]>
> For additional commands, e-mail:
<mailto:[EMAIL PROTECTED]>
>
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
