I'm agreeing with Costin. Please move this discussion to [EMAIL PROTECTED] It is off-topic here.
----- Original Message ----- From: "Bojan Smojver" <[EMAIL PROTECTED]> To: "Tomcat Developers List" <[EMAIL PROTECTED]> Sent: Wednesday, September 25, 2002 7:33 PM Subject: Re: [SECURITY] Apache Tomcat 4.x JSP source disclosure vulnerability > Not if: > > runtime.interpolate.string.literals = false > > Bojan > > Quoting Tim Funk <[EMAIL PROTECTED]>: > > > That's what code reviews are for and in absence of that - firing your > > developers. > > > > Wouldn't I also get an out of memory with this in Velocity? > > > > #set($oom = "0000000000000000000000000000000000000000000000000000" ) > > #foreach( $i in [-2147483648..2147483648] ) > > #set($oom = "$oom$oom$oom$oom$oom$oom$oom$oom$oom$oom$oom$oom$oom$oom" ) > > #end > > > > Bad code can kill ANY system for the determined(disgruntled) developer. > > > > > > Bojan Smojver wrote: > > > All right then, let's talk about JSP's. If I host my clients' JSP's on my > > server > > > and a web designer puts this in (BTW, he wasn't forced, he simply decided > > he > > > wanted to do it): > > > > > > ----------------------------------------------- > > > Hashtable strings = new Hashtable(); > > > int i=0; > > > while (true) > > > { > > > strings.put ("dead"+i, new StringBuffer(999999)); > > > } > > > ----------------------------------------------- > > > > > > > > > -- > > To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> > > For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> > > > > > > > > > ------------------------------------------------- > This mail sent through IMP: http://horde.org/imp/ > > -- > To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> > For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> > -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>