|Summary:||Consider removing "source.jsp" from examples|
|Component:||Examples||Assignee:||Tomcat Developers Mailing List <dev>|
Description research 2019-01-23 02:11:33 UTC
Consider removing /webapps/examples/jsp/source.jsp to reduce the attack surface. It doesn't appear to be used anymore since source code is now presented in HTML files using txt2html.
Comment 1 Mark Thomas 2019-01-23 08:54:51 UTC
I don't think there is much of a security argument for removing this JSP since it can only expose source code for files that are in the examples app and all that source is already publicly available. However, I am strongly in favour of removing this (and the associated tag) on the grounds it is no longer used.
Comment 2 Mark Thomas 2019-01-23 09:12:32 UTC
Fixed in: - trunk for 9.0.15 onwards - 8.5.x for 8.5.38 onwards - 7.0.x for 7.0.93 onwards Thanks for the report.