Bug 63103

Summary: Consider removing "source.jsp" from examples
Product: Tomcat 9 Reporter: research
Component: ExamplesAssignee: Tomcat Developers Mailing List <dev>
Status: RESOLVED FIXED    
Severity: minor    
Priority: P2    
Version: 9.0.14   
Target Milestone: -----   
Hardware: All   
OS: All   

Description research 2019-01-23 02:11:33 UTC
Consider removing /webapps/examples/jsp/source.jsp to reduce the attack surface. It doesn't appear to be used anymore since source code is now presented in HTML files using txt2html.
Comment 1 Mark Thomas 2019-01-23 08:54:51 UTC
I don't think there is much of a security argument for removing this JSP since it can only expose source code for files that are in the examples app and all that source is already publicly available.

However, I am strongly in favour of removing this (and the associated tag) on the grounds it is no longer used.
Comment 2 Mark Thomas 2019-01-23 09:12:32 UTC
Fixed in:
- trunk for 9.0.15 onwards
- 8.5.x for 8.5.38 onwards
- 7.0.x for 7.0.93 onwards

Thanks for the report.