This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push:
new 90f8e74d96 Expand the description of the security implications of some
settings
90f8e74d96 is described below
commit 90f8e74d96be3aa734d75458a1d1f2892d1fdb02
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Thu Jan 16 17:00:28 2025 +0000
Expand the description of the security implications of some settings
Specifically,setting mapperContextRootRedirectEnabled and/or
mapperDirectoryRedirectEnabled to true
---
webapps/docs/changelog.xml | 6 ++++++
webapps/docs/config/context.xml | 20 ++++++++++++++------
webapps/docs/security-howto.xml | 9 +++++++++
3 files changed, 29 insertions(+), 6 deletions(-)
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index bdb7984084..a7cf488edc 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -239,6 +239,12 @@
<subsection name="Web applications">
<changelog>
<!-- Entries for backport and removal before 12.0.0-M1 below this line
-->
+ <add>
+ Documentation. Expand the description of the security implications of
+ setting <code>mapperContextRootRedirectEnabled</code> and/or
+ <code>mapperDirectoryRedirectEnabled</code> to <code>true</code>.
+ (markt)
+ </add>
</changelog>
</subsection>
<subsection name="Other">
diff --git a/webapps/docs/config/context.xml b/webapps/docs/config/context.xml
index b141edc8dc..7b4320ea29 100644
--- a/webapps/docs/config/context.xml
+++ b/webapps/docs/config/context.xml
@@ -445,17 +445,25 @@
<attribute name="mapperContextRootRedirectEnabled" required="false">
<p>If enabled, requests for a web application context root will be
redirected (adding a trailing slash) if necessary by the Mapper rather
- than the default Servlet. This is more efficient but has the side
effect
- of confirming that the context path exists. If not specified, the
- default value of <code>true</code> is used.</p>
+ than the default Servlet. This is more efficient but there are security
+ side effects. First, the existance of a web application or a directory
+ may be confirmed even though the user does not have access to that
+ directory. Secondly, any Valves and/or Filters - including those
+ providing security functionality - will not have an opportunity to
+ process the request. If not specified, the default value of
+ <code>true</code> is used.</p>
</attribute>
<attribute name="mapperDirectoryRedirectEnabled" required="false">
<p>If enabled, requests for a web application directory will be
redirected (adding a trailing slash) if necessary by the Mapper rather
- than the default Servlet. This is more efficient but has the side
effect
- of confirming that the directory is exists. If not specified, the
- default value of <code>false</code> is used.</p>
+ than the default Servlet. This is more efficient but there are security
+ side effects. First, the existance of a web application or a directory
+ may be confirmed even though the user does not have access to that
+ directory. Secondly, any Valves and/or Filters - including those
+ providing security functionality - will not have an opportunity to
+ process the request. If not specified, the default value of
+ <code>false</code> is used.</p>
</attribute>
<attribute name="override" required="false">
diff --git a/webapps/docs/security-howto.xml b/webapps/docs/security-howto.xml
index 20bd81f062..0955c11bde 100644
--- a/webapps/docs/security-howto.xml
+++ b/webapps/docs/security-howto.xml
@@ -382,6 +382,15 @@
(<code>$CATALINA_BASE/temp</code> by default). This location should be
secured with appropriate file permissions - typically read/write for the
Tomcat user and no access for other users.</p>
+
+ <p>When <strong>mapperContextRootRedirectEnabled</strong> and/or
+ <strong>mapperDirectoryRedirectEnabled</strong> are enabled, request
+ processing will be more efficient but there are security side effects.
+ First, the existance of a web application or a directory may be confirmed
+ even though the user does not have access to that directory. Secondly,
any
+ Valves and/or Filters - including those providing security functionality
-
+ will not have an opportunity to process the request.</p>
+
</subsection>
<subsection name="Valves">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
