https://bz.apache.org/bugzilla/show_bug.cgi?id=60594
--- Comment #5 from Coty Sutherland <csuth...@redhat.com> --- (In reply to Mark Thomas from comment #4) > I generally dislike configuration via system property. That said, making > this per Connector will be significantly more invasive. I agree on both points. The system property seemed to be the least invasive way to achieve the desired result. > Any proposed patch needs to include documentation. That documentation needs > to include a very large, very clear warning the deviating from the default > is a security risk. Also agreed. Where would that documentation go? > If this feature is implemented, I'd prefer to see the option to allow > illegal characters limited to a much smaller sub-set. Other than space, which characters should absolutely be excluded in all cases? I can create a secondary list containing those and programmatically add them if a user tries to remove them from the blacklist. Also, my initial patch used a whitelist instead of a blacklist so that the system property was either commented out by default, or contained a few characters that were the exception to the rule. I inversed it to a blacklist to remove some logic and make it perform better; do you think that a whitelist would work better here? I can provide that patch also. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
