svn commit: r520556 - in /tomcat/site/trunk: docs/security-4.html docs/security-5.html docs/security-6.html xdocs/security-4.xml xdocs/security-5.xml xdocs/security-6.xml

Tue, 20 Mar 2007 12:28:49 -0800 

Author: remm
Date: Tue Mar 20 13:28:25 2007
New Revision: 520556

URL: http://svn.apache.org/viewvc?view=rev&rev=520556
Log:
- Some additional tweaks.

Modified:
    tomcat/site/trunk/docs/security-4.html
    tomcat/site/trunk/docs/security-5.html
    tomcat/site/trunk/docs/security-6.html
    tomcat/site/trunk/xdocs/security-4.xml
    tomcat/site/trunk/xdocs/security-5.xml
    tomcat/site/trunk/xdocs/security-6.xml

Modified: tomcat/site/trunk/docs/security-4.html
URL: 
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-4.html?view=diff&rev=520556&r1=520555&r2=520556
==============================================================================
--- tomcat/site/trunk/docs/security-4.html (original)
+++ tomcat/site/trunk/docs/security-4.html Tue Mar 20 13:28:25 2007
@@ -246,27 +246,23 @@
        CVE-2007-0450</a>
 </p>
 
-    <p>Tomcat permits both '\' and '%5C' as path delimiters. When Tomcat is 
used 
+    <p>Tomcat permits '\', '%2F' and '%5C' as path delimiters. When Tomcat is 
used 
        behind a proxy (including, but not limited to, Apache HTTP server with 
        mod_proxy and mod_jk) configured to only proxy some contexts, a HTTP 
request 
        containing strings like "/\../" may allow attackers to work around the 
context 
        restriction of the proxy, and access the non-proxied contexts.
     </p>
 
-    <p>The following Java startup options have been added to Tomcat to provide 
-       additional control of the handling of '\' and '%5c' in URLs (both 
options 
+    <p>The following Java system properties have been added to Tomcat to 
provide 
+       additional control of the handling of path delimiters in URLs (both 
options 
        default to false):
        <ul>
          <li>
-<code>
-           -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true|false
-         </code>
-</li>
+           
<code>org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH</code>: 
<code>true|false</code>
+         </li>
          <li>
-<code>
-           
-Dorg.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH=true|false
-         </code>
-</li>
+           
<code>org.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH</code>: 
<code>true|false</code>
+         </li>
        </ul>
     </p>
 

Modified: tomcat/site/trunk/docs/security-5.html
URL: 
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-5.html?view=diff&rev=520556&r1=520555&r2=520556
==============================================================================
--- tomcat/site/trunk/docs/security-5.html (original)
+++ tomcat/site/trunk/docs/security-5.html Tue Mar 20 13:28:25 2007
@@ -269,27 +269,23 @@
        CVE-2007-0450</a>
 </p>
 
-    <p>Tomcat permits both '\' and '%5C' as path delimiters. When Tomcat is 
used 
+    <p>Tomcat permits '\', '%2F' and '%5C' as path delimiters. When Tomcat is 
used 
        behind a proxy (including, but not limited to, Apache HTTP server with 
        mod_proxy and mod_jk) configured to only proxy some contexts, a HTTP 
request 
        containing strings like "/\../" may allow attackers to work around the 
context 
        restriction of the proxy, and access the non-proxied contexts.
     </p>
 
-    <p>The following Java startup options have been added to Tomcat to provide 
-       additional control of the handling of '\' and '%5c' in URLs (both 
options 
+    <p>The following Java system properties have been added to Tomcat to 
provide 
+       additional control of the handling of path delimiters in URLs (both 
options 
        default to false):
        <ul>
          <li>
-<code>
-           -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true|false
-         </code>
-</li>
+           
<code>org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH</code>: 
<code>true|false</code>
+         </li>
          <li>
-<code>
-           
-Dorg.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH=true|false
-         </code>
-</li>
+           
<code>org.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH</code>: 
<code>true|false</code>
+         </li>
        </ul>
     </p>
 

Modified: tomcat/site/trunk/docs/security-6.html
URL: 
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-6.html?view=diff&rev=520556&r1=520555&r2=520556
==============================================================================
--- tomcat/site/trunk/docs/security-6.html (original)
+++ tomcat/site/trunk/docs/security-6.html Tue Mar 20 13:28:25 2007
@@ -269,27 +269,23 @@
        CVE-2007-0450</a>
 </p>
 
-    <p>Tomcat permits both '\' and '%5C' as path delimiters. When Tomcat is 
used 
+    <p>Tomcat permits '\', '%2F' and '%5C' as path delimiters. When Tomcat is 
used 
        behind a proxy (including, but not limited to, Apache HTTP server with 
        mod_proxy and mod_jk) configured to only proxy some contexts, a HTTP 
request 
        containing strings like "/\../" may allow attackers to work around the 
context 
        restriction of the proxy, and access the non-proxied contexts.
     </p>
 
-    <p>The following Java startup options have been added to Tomcat to provide 
-       additional control of the handling of '\' and '%5c' in URLs (both 
options 
+    <p>The following Java system properties have been added to Tomcat to 
provide 
+       additional control of the handling of path delimiters in URLs (both 
options 
        default to false):
        <ul>
          <li>
-<code>
-           -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true|false
-         </code>
-</li>
+           
<code>org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH</code>: 
<code>true|false</code>
+         </li>
          <li>
-<code>
-           
-Dorg.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH=true|false
-         </code>
-</li>
+           
<code>org.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH</code>: 
<code>true|false</code>
+         </li>
        </ul>
     </p>
 

Modified: tomcat/site/trunk/xdocs/security-4.xml
URL: 
http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-4.xml?view=diff&rev=520556&r1=520555&r2=520556
==============================================================================
--- tomcat/site/trunk/xdocs/security-4.xml (original)
+++ tomcat/site/trunk/xdocs/security-4.xml Tue Mar 20 13:28:25 2007
@@ -46,23 +46,23 @@
        <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0450";>
        CVE-2007-0450</a></p>
 
-    <p>Tomcat permits both '\' and '%5C' as path delimiters. When Tomcat is 
used 
+    <p>Tomcat permits '\', '%2F' and '%5C' as path delimiters. When Tomcat is 
used 
        behind a proxy (including, but not limited to, Apache HTTP server with 
        mod_proxy and mod_jk) configured to only proxy some contexts, a HTTP 
request 
        containing strings like "/\../" may allow attackers to work around the 
context 
        restriction of the proxy, and access the non-proxied contexts.
     </p>
 
-    <p>The following Java startup options have been added to Tomcat to provide 
-       additional control of the handling of '\' and '%5c' in URLs (both 
options 
+    <p>The following Java system properties have been added to Tomcat to 
provide 
+       additional control of the handling of path delimiters in URLs (both 
options 
        default to false):
        <ul>
-         <li><code>
-           -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true|false
-         </code></li>
-         <li><code>
-           
-Dorg.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH=true|false
-         </code></li>
+         <li>
+           
<code>org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH</code>: 
<code>true|false</code>
+         </li>
+         <li>
+           
<code>org.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH</code>: 
<code>true|false</code>
+         </li>
        </ul>
     </p>
 

Modified: tomcat/site/trunk/xdocs/security-5.xml
URL: 
http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-5.xml?view=diff&rev=520556&r1=520555&r2=520556
==============================================================================
--- tomcat/site/trunk/xdocs/security-5.xml (original)
+++ tomcat/site/trunk/xdocs/security-5.xml Tue Mar 20 13:28:25 2007
@@ -48,23 +48,23 @@
        <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0450";>
        CVE-2007-0450</a></p>
 
-    <p>Tomcat permits both '\' and '%5C' as path delimiters. When Tomcat is 
used 
+    <p>Tomcat permits '\', '%2F' and '%5C' as path delimiters. When Tomcat is 
used 
        behind a proxy (including, but not limited to, Apache HTTP server with 
        mod_proxy and mod_jk) configured to only proxy some contexts, a HTTP 
request 
        containing strings like "/\../" may allow attackers to work around the 
context 
        restriction of the proxy, and access the non-proxied contexts.
     </p>
 
-    <p>The following Java startup options have been added to Tomcat to provide 
-       additional control of the handling of '\' and '%5c' in URLs (both 
options 
+    <p>The following Java system properties have been added to Tomcat to 
provide 
+       additional control of the handling of path delimiters in URLs (both 
options 
        default to false):
        <ul>
-         <li><code>
-           -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true|false
-         </code></li>
-         <li><code>
-           
-Dorg.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH=true|false
-         </code></li>
+         <li>
+           
<code>org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH</code>: 
<code>true|false</code>
+         </li>
+         <li>
+           
<code>org.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH</code>: 
<code>true|false</code>
+         </li>
        </ul>
     </p>
 

Modified: tomcat/site/trunk/xdocs/security-6.xml
URL: 
http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-6.xml?view=diff&rev=520556&r1=520555&r2=520556
==============================================================================
--- tomcat/site/trunk/xdocs/security-6.xml (original)
+++ tomcat/site/trunk/xdocs/security-6.xml Tue Mar 20 13:28:25 2007
@@ -48,23 +48,23 @@
        <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0450";>
        CVE-2007-0450</a></p>
 
-    <p>Tomcat permits both '\' and '%5C' as path delimiters. When Tomcat is 
used 
+    <p>Tomcat permits '\', '%2F' and '%5C' as path delimiters. When Tomcat is 
used 
        behind a proxy (including, but not limited to, Apache HTTP server with 
        mod_proxy and mod_jk) configured to only proxy some contexts, a HTTP 
request 
        containing strings like "/\../" may allow attackers to work around the 
context 
        restriction of the proxy, and access the non-proxied contexts.
     </p>
 
-    <p>The following Java startup options have been added to Tomcat to provide 
-       additional control of the handling of '\' and '%5c' in URLs (both 
options 
+    <p>The following Java system properties have been added to Tomcat to 
provide 
+       additional control of the handling of path delimiters in URLs (both 
options 
        default to false):
        <ul>
-         <li><code>
-           -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true|false
-         </code></li>
-         <li><code>
-           
-Dorg.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH=true|false
-         </code></li>
+         <li>
+           
<code>org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH</code>: 
<code>true|false</code>
+         </li>
+         <li>
+           
<code>org.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH</code>: 
<code>true|false</code>
+         </li>
        </ul>
     </p>
 



---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to