This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 7.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/7.0.x by this push:
new 22ce59d Update security docs after addition of encodedSolidusHandling
attribute
22ce59d is described below
commit 22ce59d4767fcc2a6895c7d556857b45fba93a79
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Wed Apr 1 11:56:06 2020 +0100
Update security docs after addition of encodedSolidusHandling attribute
---
webapps/docs/security-howto.xml | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/webapps/docs/security-howto.xml b/webapps/docs/security-howto.xml
index d52fc01..694a7a7 100644
--- a/webapps/docs/security-howto.xml
+++ b/webapps/docs/security-howto.xml
@@ -262,6 +262,11 @@
reduces the chances of a bug in an application exposing data from one
request to another.</p>
+ <p>The <strong>encodedSolidusHandling</strong> attribute allows
+ non-standard parsing of the request URI. Setting this attribute to a
+ non-default value when behind a reverse proxy may enable an attacker to
+ bypass any security constraints enforced by the proxy.</p>
+
<p>The <strong>maxPostSize</strong> attribute controls the maximum size
of a POST request that will be parsed for parameters. The parameters are
cached for the duration of the request so this is limited to 2MB by
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
