https://bz.apache.org/bugzilla/show_bug.cgi?id=62667
--- Comment #9 from Felix Schumacher <felix.schumac...@internetallee.de> ---
(In reply to Remy Maucherat from comment #7)
> I added the "feature"/bugfix for 9.0.12 and 8.5.34.
>
> I have no idea what the language from the comment "For security reasons we
> must never expand a string that includes verbatim data from the network."
> means since well, that's the point and this BZ asks for
> ${portals:%{HTTP_HOST}} (%{HTTP_HOST} is clearly verbatim network data).
> Comments ? Maybe it means you shouldn't parse network data (only evaluate),
> but that's not the case here obviously: the configuration is parsed on valve
> start and that's it.
I would read it so that data sent from client should not be expanded any
further.
So for example a user sends "%{HTTP_HOST}" as the value of the host header,
this would/could result in a infinite loop. There are probably more malicious
examples that could be thought of.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
