Author: markt
Date: Thu Sep 5 18:47:53 2024
New Revision: 1920479
URL: http://svn.apache.org/viewvc?rev=1920479&view=rev
Log:
Add CSRF note
Modified:
tomcat/site/trunk/docs/security-model.html
tomcat/site/trunk/xdocs/security-model.xml
Modified: tomcat/site/trunk/docs/security-model.html
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-model.html?rev=1920479&r1=1920478&r2=1920479&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-model.html (original)
+++ tomcat/site/trunk/docs/security-model.html Thu Sep 5 18:47:53 2024
@@ -17,15 +17,19 @@
any of the following will be rejected:</p>
<ul>
- <li>The Manager or Host Manager applications provided with Tomcat</li>
- <li>Tomcat configuration files</li>
- <li>Tomcat binaries and/or scripts</li>
- <li>The JMX API (local or remote)</li>
- <li>The Java Attach API or any other debugging interface</li>
+ <li>The Manager or Host Manager applications provided with Tomcat.</li>
+ <li>Tomcat configuration files.</li>
+ <li>Tomcat binaries and/or scripts.</li>
+ <li>The JMX API (local or remote).</li>
+ <li>The Java Attach API or any other debugging interface.</li>
</ul>
- </div></div>
+ <p>Reports for vulnerabilities where an attacker tricks an administrative
+ user into performing an action the administrator did not intend to
+ perform (e.g. CSRF vulnerabilities) will be accepted.</p>
+ </div></div>
+
<div class="subsection"><h4 id="Web_applications">Web
applications</h4><div class="text">
<p>Web applications deployed to Tomcat are considered to be trusted.
@@ -48,10 +52,10 @@
<ul>
<li>The standard request attributes and any arbitrary request
attributes
permitted by <code>allowedRequestAttributesPattern</code> for an
AJP
- connector</li>
+ connector.</li>
<li>HTTP headers processed by a <code>RemoteIpValve</code>,
<code>SSLValve</code>, equivalent filters or any similar
- functionality</li>
+ functionality.</li>
</ul>
</div></div>
Modified: tomcat/site/trunk/xdocs/security-model.xml
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-model.xml?rev=1920479&r1=1920478&r2=1920479&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-model.xml (original)
+++ tomcat/site/trunk/xdocs/security-model.xml Thu Sep 5 18:47:53 2024
@@ -25,15 +25,19 @@
any of the following will be rejected:</p>
<ul>
- <li>The Manager or Host Manager applications provided with Tomcat</li>
- <li>Tomcat configuration files</li>
- <li>Tomcat binaries and/or scripts</li>
- <li>The JMX API (local or remote)</li>
- <li>The Java Attach API or any other debugging interface</li>
+ <li>The Manager or Host Manager applications provided with Tomcat.</li>
+ <li>Tomcat configuration files.</li>
+ <li>Tomcat binaries and/or scripts.</li>
+ <li>The JMX API (local or remote).</li>
+ <li>The Java Attach API or any other debugging interface.</li>
</ul>
- </subsection>
+ <p>Reports for vulnerabilities where an attacker tricks an administrative
+ user into performing an action the administrator did not intend to
+ perform (e.g. CSRF vulnerabilities) will be accepted.</p>
+ </subsection>
+
<subsection name="Web applications">
<p>Web applications deployed to Tomcat are considered to be trusted.
@@ -56,10 +60,10 @@
<ul>
<li>The standard request attributes and any arbitrary request
attributes
permitted by <code>allowedRequestAttributesPattern</code> for an
AJP
- connector</li>
+ connector.</li>
<li>HTTP headers processed by a <code>RemoteIpValve</code>,
<code>SSLValve</code>, equivalent filters or any similar
- functionality</li>
+ functionality.</li>
</ul>
</subsection>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
