DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=15417>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=15417 jsp_precompile seems like a possible DOS vulnerability Summary: jsp_precompile seems like a possible DOS vulnerability Product: Tomcat 4 Version: Unknown Platform: Other OS/Version: Other Status: NEW Severity: Enhancement Priority: Other Component: Unknown AssignedTo: [EMAIL PROTECTED] ReportedBy: [EMAIL PROTECTED] I havn't actually had a problem with it yet, but it seems like anyone who figures out that a site is using a heavyweight jsp page, could mount a substantial CPU utilization DOS by sending lots of jsp_precompile requests. It seems that there should be a way to turn it of on production servers. Discussion on IRC seems to indicate that there is currently no way to turn it off. (One of the individuals claimed that he was reading the source and couldn't find any facility for disabling it). An alternate/additional idea to jsp_precompile is to replace this feature with one that allows the server configuration to specify a port number to open in parallel to the main port, but force a recompile for every access on that port. (and then send back the newly compiled page to the developer, unlike jsp_precompile) This could easily be controled at the firewall level by blocking access to that port, and disabled (never enbabled?) for a production server. The need for such a feature comes up when (for example) one goes from working on a HEAD revision to working on a branch where the file mod times can get older. You don't want to see the version left over from the newer HEAD when you attempt to view your work in the branch. In this case you actually want to recompile when the file got older, making an always recompile interface useful. -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
