Bug 63103 - Consider removing "source.jsp" from examples
Summary: Consider removing "source.jsp" from examples
Alias: None
Product: Tomcat 9
Classification: Unclassified
Component: Examples (show other bugs)
Version: 9.0.14
Hardware: All All
: P2 minor (vote)
Target Milestone: -----
Assignee: Tomcat Developers Mailing List
Depends on:
Reported: 2019-01-23 02:11 UTC by research
Modified: 2019-01-23 09:12 UTC (History)
0 users


Note You need to log in before you can comment on or make changes to this bug.
Description research 2019-01-23 02:11:33 UTC
Consider removing /webapps/examples/jsp/source.jsp to reduce the attack surface. It doesn't appear to be used anymore since source code is now presented in HTML files using txt2html.
Comment 1 Mark Thomas 2019-01-23 08:54:51 UTC
I don't think there is much of a security argument for removing this JSP since it can only expose source code for files that are in the examples app and all that source is already publicly available.

However, I am strongly in favour of removing this (and the associated tag) on the grounds it is no longer used.
Comment 2 Mark Thomas 2019-01-23 09:12:32 UTC
Fixed in:
- trunk for 9.0.15 onwards
- 8.5.x for 8.5.38 onwards
- 7.0.x for 7.0.93 onwards

Thanks for the report.