From 66906dc030fc21439d26c1bb53c35200f5b4bfd2 Mon Sep 17 00:00:00 2001
From: markt <markt@13f79535-47bb-0310-9956-ffa450edef68>
Date: Sun, 10 Jul 2011 10:59:45 +0000
Subject: [PATCH] 7.0.18 not released

git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@1144818 13f79535-47bb-0310-9956-ffa450edef68
---
 webapps/docs/changelog.xml      |  9 +++++++++
 webapps/docs/security-howto.xml | 15 ++++++++++++++-
 2 files changed, 23 insertions(+), 1 deletion(-)

diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 67cf1bd00..9f7873563 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -81,6 +81,15 @@
       </update>
     </changelog>
   </subsection>
+  <subsection name="Web applications">
+    <changelog>
+      <add>
+        Add additional information to the documentation web application on the
+        benefits and remaining risks when running under a security manager.
+        (markt)
+      </add>
+    </changelog>
+  </subsection>
   <subsection name="Other">
     <changelog>
       <update>
diff --git a/webapps/docs/security-howto.xml b/webapps/docs/security-howto.xml
index 8a879d3e5..bd27e2f10 100644
--- a/webapps/docs/security-howto.xml
+++ b/webapps/docs/security-howto.xml
@@ -83,7 +83,20 @@
     sandbox, significantly limiting a web application's ability to perform
     malicious actions such as calling System.exit(), establishing network
     connections or accessing the file system outside of the web application's
-    root and temporary directories.</p>
+    root and temporary directories. However, it should be noted that there are
+    some malicious actions, such as triggering high CPU consumption via an
+    infinite loop, that the security manager cannot prevent.</p>
+
+    <p>Enabling the security manager is usually done to limit the potential
+    impact, should an attacker find a way to compromise a trusted web
+    application . A security manager may also be used to reduce the risks of
+    running untrusted web applications (e.g. in hosting environments) but it
+    should be noted that the security manager only reduces the risks of
+    running untrusted web applications, it does not eliminate them. If running
+    multiple untrusted web applications, it is recommended that each web
+    application is deployed to a separate Tomcat instance (and ideally separate
+    hosts) to reduce the ability of a malicious web application impacting the
+    availability of other applications.</p>
     
     <p>Tomcat is tested with the security manager enabled; but the majority of
     Tomcat users do not run with a security manager, so Tomcat is not as well
-- 
2.11.0