This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/9.0.x by this push:
new add00a5 Update security docs after addition of encodedSolidusHandling
attribute
add00a5 is described below
commit add00a55c334f0ebc8a2d952f0f4cdff7517e3f5
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Wed Apr 1 11:56:06 2020 +0100
Update security docs after addition of encodedSolidusHandling attribute
---
webapps/docs/security-howto.xml | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/webapps/docs/security-howto.xml b/webapps/docs/security-howto.xml
index e929a8e..551b118 100644
--- a/webapps/docs/security-howto.xml
+++ b/webapps/docs/security-howto.xml
@@ -271,6 +271,11 @@
reduces the chances of a bug in an application exposing data from one
request to another.</p>
+ <p>The <strong>encodedSolidusHandling</strong> attribute allows
+ non-standard parsing of the request URI. Setting this attribute to a
+ non-default value when behind a reverse proxy may enable an attacker to
+ bypass any security constraints enforced by the proxy.</p>
+
<p>The <strong>maxPostSize</strong> attribute controls the maximum size
of a POST request that will be parsed for parameters. The parameters are
cached for the duration of the request so this is limited to 2MB by
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
