This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 10.1.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/10.1.x by this push:
new 3291f64b5a Expand the description of the security implications of some
settings
3291f64b5a is described below
commit 3291f64b5a785bc6aa5d8789f0187984a4a583b2
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Thu Jan 16 17:00:28 2025 +0000
Expand the description of the security implications of some settings
Specifically,setting mapperContextRootRedirectEnabled and/or
mapperDirectoryRedirectEnabled to true
---
webapps/docs/changelog.xml | 10 ++++++++++
webapps/docs/config/context.xml | 20 ++++++++++++++------
webapps/docs/security-howto.xml | 9 +++++++++
3 files changed, 33 insertions(+), 6 deletions(-)
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 0e3359e3c1..32bed6d351 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -174,6 +174,16 @@
</fix>
</changelog>
</subsection>
+ <subsection name="Web applications">
+ <changelog>
+ <add>
+ Documentation. Expand the description of the security implications of
+ setting <code>mapperContextRootRedirectEnabled</code> and/or
+ <code>mapperDirectoryRedirectEnabled</code> to <code>true</code>.
+ (markt)
+ </add>
+ </changelog>
+ </subsection>
<subsection name="Other">
<changelog>
<update>
diff --git a/webapps/docs/config/context.xml b/webapps/docs/config/context.xml
index 18cadbfa53..e72d555291 100644
--- a/webapps/docs/config/context.xml
+++ b/webapps/docs/config/context.xml
@@ -438,17 +438,25 @@
<attribute name="mapperContextRootRedirectEnabled" required="false">
<p>If enabled, requests for a web application context root will be
redirected (adding a trailing slash) if necessary by the Mapper rather
- than the default Servlet. This is more efficient but has the side
effect
- of confirming that the context path exists. If not specified, the
- default value of <code>true</code> is used.</p>
+ than the default Servlet. This is more efficient but there are security
+ side effects. First, the existance of a web application or a directory
+ may be confirmed even though the user does not have access to that
+ directory. Secondly, any Valves and/or Filters - including those
+ providing security functionality - will not have an opportunity to
+ process the request. If not specified, the default value of
+ <code>true</code> is used.</p>
</attribute>
<attribute name="mapperDirectoryRedirectEnabled" required="false">
<p>If enabled, requests for a web application directory will be
redirected (adding a trailing slash) if necessary by the Mapper rather
- than the default Servlet. This is more efficient but has the side
effect
- of confirming that the directory is exists. If not specified, the
- default value of <code>false</code> is used.</p>
+ than the default Servlet. This is more efficient but there are security
+ side effects. First, the existance of a web application or a directory
+ may be confirmed even though the user does not have access to that
+ directory. Secondly, any Valves and/or Filters - including those
+ providing security functionality - will not have an opportunity to
+ process the request. If not specified, the default value of
+ <code>false</code> is used.</p>
</attribute>
<attribute name="override" required="false">
diff --git a/webapps/docs/security-howto.xml b/webapps/docs/security-howto.xml
index c5ba633148..82352a69f4 100644
--- a/webapps/docs/security-howto.xml
+++ b/webapps/docs/security-howto.xml
@@ -416,6 +416,15 @@
(<code>$CATALINA_BASE/temp</code> by default). This location should be
secured with appropriate file permissions - typically read/write for the
Tomcat user and no access for other users.</p>
+
+ <p>When <strong>mapperContextRootRedirectEnabled</strong> and/or
+ <strong>mapperDirectoryRedirectEnabled</strong> are enabled, request
+ processing will be more efficient but there are security side effects.
+ First, the existance of a web application or a directory may be confirmed
+ even though the user does not have access to that directory. Secondly,
any
+ Valves and/or Filters - including those providing security functionality
-
+ will not have an opportunity to process the request.</p>
+
</subsection>
<subsection name="Valves">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
