On 08/12/2016 09:54, Emmanuel Bourg wrote: > [resending as a new message instead of a reply, sorry]
Thanks. > I'm still working on the security backports in Debian and I have a > question regarding CVE-2015-5345. On the Tomcat 7 security page the > commits 1715213 and 1717212 are referenced. If I'm not mistaken the > commit 1716860 should also be part of the fix, otherwise the > mapper*RedirectEnabled attributes set on the context are ignored, right? Your analysis is correct. This commit is another grey area, especially given that the defaults were changed to avoid the consequences users would really need these options to work for. On balance, I'm happy adding it so I have done so. > Also I haven't found an equivalent commit for Tomcat 8, is this normal? It depends. In this case it is correct that there isn't an equivalent commit for 8.0.x and beyond. The Mapper refactoring in 8.0.x removed the need for the config attributes to be passed explicitly. In 8.0.x they can be obtained when required from the Context. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
