> Hi Remy, > > > I actually tried the test case (I guess I should have tried it before > ...), > > and it didn't do what I thought it would do. This does not qualify as a > > security issue by my book, though (it is recommended to test your > > application before putting it in production). > > Now I have a simple question: Do you think this is a Tomcat bug or not?
It looks like it. I have to look into the issue more, I suppose. > About the security issue (or not): We _did_ test our application. We just > didn't expect that a working JSP would change its behaviour just because we > include it from another one! Also think about third party components. If you > have a third party JSP that does a forward, you can never be sure it works > within an include. The bottom line is: JSPs should _never_ be served as > static content (except an application explicitly changes the .jsp mapping or > serves it itself). Everything else is at least a bug. Sorry for repeating > this again and again, but Orion and Resin don't have this issue and I'd love > to fix Tomcat provided I get some positive feedback regarding my proposed > solution. I have no opinion on it at the moment. Remy -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
