| <!DOCTYPE html SYSTEM "about:legacy-compat"> |
| <html lang="en"> |
| <head> |
| <META http-equiv="Content-Type" content="text/html; charset=iso-8859-15"> |
| <title>Apache JMeter |
| - |
| Security</title> |
| <meta name="viewport" content="width=device-width, initial-scale=1"> |
| <link href="https://fonts.googleapis.com/css?family=Merriweather:400normal" rel="stylesheet" type="text/css"> |
| <link href="https://maxcdn.bootstrapcdn.com/font-awesome/4.6.1/css/font-awesome.min.css" rel="stylesheet" type="text/css"> |
| <link rel="stylesheet" type="text/css" href="./css/new-style.css"> |
| <link rel="apple-touch-icon-precomposed" href="./images/apple-touch-icon.png"> |
| <link rel="icon" href="./images/favicon.png"> |
| <meta name="msapplication-TileColor" content="#ffffff"> |
| <meta name="msapplication-TileImage" content="./images/mstile-144x144.png"> |
| <meta name="theme-color" content="#ffffff"> |
| </head> |
| <body role="document"> |
| <a href="#content" class="hidden">Main content</a> |
| <div class="header"> |
| <!-- |
| APACHE LOGO |
| --> |
| <div> |
| <a href="https://www.apache.org"><img title="Apache Software Foundation" class="asf-logo logo" src="./images/asf-logo.svg" alt="Logo ASF"></a> |
| </div> |
| <!-- |
| PROJECT LOGO |
| --> |
| <div> |
| <a href="https://jmeter.apache.org/"><img class="logo" src="./images/logo.svg" alt="Apache JMeter"></a> |
| </div> |
| <div class="banner"> |
| <a href="https://www.apache.org/events/current-event.html"><img src="https://www.apache.org/events/current-event-234x60.png" alt="Current Apache event teaser"></a> |
| <div class="clear"></div> |
| </div> |
| </div> |
| <div class="nav"> |
| <ul class="menu"> |
| <li onClick="return true"> |
| <div class="menu-title">About</div> |
| <ul> |
| <li> |
| <a href="./index.html">Overview</a> |
| </li> |
| <li> |
| <a href="https://www.apache.org/licenses/">License</a> |
| </li> |
| </ul> |
| </li> |
| </ul> |
| <ul class="menu"> |
| <li onClick="return true"> |
| <div class="menu-title">Download</div> |
| <ul> |
| <li> |
| <a href="./download_jmeter.cgi">Download Releases</a> |
| </li> |
| <li> |
| <a href="./changes.html">Release Notes</a> |
| </li> |
| </ul> |
| </li> |
| </ul> |
| <ul class="menu"> |
| <li onClick="return true"> |
| <div class="menu-title">Documentation</div> |
| <ul> |
| <li> |
| <a href="./usermanual/get-started.html">Get Started</a> |
| </li> |
| <li> |
| <a href="./usermanual/index.html">User Manual</a> |
| </li> |
| <li> |
| <a href="./usermanual/best-practices.html">Best Practices</a> |
| </li> |
| <li> |
| <a href="./usermanual/component_reference.html">Component Reference</a> |
| </li> |
| <li> |
| <a href="./usermanual/functions.html">Functions Reference</a> |
| </li> |
| <li> |
| <a href="./usermanual/properties_reference.html">Properties Reference</a> |
| </li> |
| <li> |
| <a href="./changes_history.html">Change History</a> |
| </li> |
| <li> |
| <a href="./api/index.html">Javadocs</a> |
| </li> |
| <li> |
| <a href="https://cwiki.apache.org/confluence/display/JMETER/Home">JMeter Wiki</a> |
| </li> |
| <li> |
| <a href="https://cwiki.apache.org/confluence/display/JMETER/JMeterFAQ">FAQ (Wiki)</a> |
| </li> |
| </ul> |
| </li> |
| </ul> |
| <ul class="menu"> |
| <li onClick="return true"> |
| <div class="menu-title">Tutorials</div> |
| <ul> |
| <li> |
| <a href="./usermanual/jmeter_distributed_testing_step_by_step.html">Distributed Testing</a> |
| </li> |
| <li> |
| <a href="./usermanual/jmeter_proxy_step_by_step.html">Recording Tests</a> |
| </li> |
| <li> |
| <a href="./usermanual/junitsampler_tutorial.html">JUnit Sampler</a> |
| </li> |
| <li> |
| <a href="./usermanual/jmeter_accesslog_sampler_step_by_step.html">Access Log Sampler</a> |
| </li> |
| <li> |
| <a href="./usermanual/jmeter_tutorial.html">Extending JMeter</a> |
| </li> |
| </ul> |
| </li> |
| </ul> |
| <ul class="menu"> |
| <li onClick="return true"> |
| <div class="menu-title">Community</div> |
| <ul> |
| <li> |
| <a href="./issues.html">Issue Tracking</a> |
| </li> |
| <li> |
| <a href="./security.html">Security</a> |
| </li> |
| <li> |
| <a href="./mail.html">Mailing Lists</a> |
| </li> |
| <li> |
| <a href="./svnindex.html">Source Repositories</a> |
| </li> |
| <li> |
| <a href="./building.html">Building and Contributing</a> |
| </li> |
| <li> |
| <a href="https://projects.apache.org/project.html?jmeter">Project info at Apache</a> |
| </li> |
| <li> |
| <a href="https://cwiki.apache.org/confluence/display/JMETER/JMeterCommitters">Contributors</a> |
| </li> |
| </ul> |
| </li> |
| </ul> |
| <ul class="menu"> |
| <li onClick="return true"> |
| <div class="menu-title">Foundation</div> |
| <ul> |
| <li> |
| <a href="https://www.apache.org/">The Apache Software Foundation (ASF)</a> |
| </li> |
| <li> |
| <a href="https://www.apache.org/foundation/getinvolved.html">Get Involved in the ASF</a> |
| </li> |
| <li> |
| <a href="https://privacy.apache.org/policies/privacy-policy-public.html">Privacy Policy</a> |
| </li> |
| <li> |
| <a href="https://www.apache.org/foundation/sponsorship.html">Sponsorship</a> |
| </li> |
| <li> |
| <a href="https://www.apache.org/foundation/thanks.html">Thanks</a> |
| </li> |
| </ul> |
| </li> |
| </ul> |
| </div> |
| <div class="main" id="content"> |
| <div class="social-media"> |
| <ul class="social-media-links"> |
| <li class="twitter"> |
| <a href="https://twitter.com/ApacheJMeter" title="Follow us on Twitter"><i class="fa fa-twitter" aria-hidden="true"></i>Twitter</a> |
| </li> |
| <li class="github"> |
| <a href="https://github.com/apache/jmeter" title="Fork us on github"><i class="fa fa-github" aria-hidden="true"></i>github</a> |
| </li> |
| </ul> |
| </div> |
| <div class="section"> |
| <h1>Security Model</h1> |
| |
| <p> |
| The purpose of JMeter is to execute the workload specified |
| in the input jmx file, which may include arbitrary code. |
| </p> |
| |
| <p> |
| As such, the JMeter security model assumes you trust |
| jmx input files: even opening a jmx input file may in some |
| cases trigger code execution. If you want to use JMeter to |
| evaluate untrusted jmx files, it is up to you to provide the |
| required isolation. |
| </p> |
| |
| <p> |
| Still in the area of security, when JMeter is used in distributed |
| environment, we recommend setting up the security manager in order |
| to avoid any execution of malicious code on the distributed |
| architecture. See the <a href="./usermanual/remote-test.html#security-manager"> |
| Security-Manager documentation</a> for its implementation. |
| |
| </p> |
| |
| </div> |
| <div class="section"> |
| <h1>Reporting security issues</h1> |
| |
| <p> |
| We strongly encourage you to report potential security vulnerabilities to our private security mailing list, <a href="mailto:security@apache.org">security@apache.org</a>, before disclosing them in a public forum. |
| |
| </p> |
| |
| <p> |
| Only use this list to report undisclosed security vulnerabilities in Apache projects and manage the process of fixing such vulnerabilities. We cannot accept regular bug reports or other security-related queries at these addresses. We will ignore mail sent to these addresses that does not relate to an undisclosed security problem in an Apache project. |
| </p> |
| |
| <p> |
| An overview of the vulnerability handling process is: |
| |
| <ul> |
| |
| <li>The reporter reports the vulnerability privately to Apache.</li> |
| |
| <li>The appropriate project's security team works privately with the reporter to resolve the vulnerability.</li> |
| |
| <li>The project creates a new release of the package the vulnerabilty affects to deliver its fix.</li> |
| |
| <li>The project publicly announces the vulnerability and describes how to apply the fix.</li> |
| |
| </ul> |
| Committers should read a <a href="https://www.apache.org/security/committers.html">more detailed description of the process</a>. Reporters of security vulnerabilities may also find it useful. |
| |
| </p> |
| |
| </div> |
| <div class="share-links"> |
| Share this page: |
| |
| <ul> |
| <li class="fb"> |
| <a data-social-url="https://facebook.com/sharer/sharer.php?u=" title="Share on facebook"><i class="fa fa-facebook" aria-hidden="true"></i>share</a> |
| </li> |
| <li class="twitter"> |
| <a data-social-url="https://twitter.com/intent/tweet?url=" title="Tweet on twitter"><i class="fa fa-twitter" aria-hidden="true"></i>tweet</a> |
| </li> |
| </ul> |
| </div> |
| <a href="#top" id="topButton">Go to top</a> |
| </div> |
| <div class="footer"> |
| <div class="copyright"> |
| Copyright © |
| 1999 – |
| 2024 |
| , Apache Software Foundation |
| </div> |
| <div class="trademarks">Apache, Apache JMeter, JMeter, the Apache |
| feather, and the Apache JMeter logo are |
| trademarks of the |
| Apache Software Foundation. |
| </div> |
| </div> |
| <script>(function(){ |
| "use strict"; |
| // enable 'go to top' button functionality |
| document.addEventListener('scroll', function() { |
| if (document.body.scrollTop > 500 || document.documentElement.scrollTop > 500) { |
| document.getElementById("topButton").style.display = "block"; |
| } else { |
| document.getElementById("topButton").style.display = "none"; |
| } |
| }); |
| // fill in the current location into social links on this page. |
| var as = document.getElementsByTagName('a'); |
| var loc = document.location.href; |
| if (!loc.toLowerCase().startsWith('http')) { |
| return; |
| } |
| for (var i=0; i<as.length; i++) { |
| var href = as[i].getAttribute('data-social-url'); |
| if (href !== null) { |
| as[i].href = href + encodeURIComponent(loc); |
| } |
| } |
| })();</script> |
| </body> |
| </html> |
