https://issues.apache.org/bugzilla/show_bug.cgi?id=50153
--- Comment #1 from Chuck Caldarale <chuck.caldar...@unisys.com> 2010-10-25 22:56:58 EDT --- (In reply to comment #0) > Since I'm using a framework that maps its own servlet to /*, I have to remap > the default servlet. In Tomcat 7.0.0 this mapping was working: > > <servlet-mapping> > <servlet-name>default</servlet-name> > <url-pattern>/static/</url-pattern> > </servlet-mapping> > > But it doesn't in Tomcat 7.0.4 Unfortunately, you have been taking advantage (?) of a security hole in the default servlet that allowed an ill-specified <url-pattern> to serve static content from arbitrary locations. As noted in the 7.0 changelog, the related bug report can be found here: http://issues.apache.org/bugzilla/show_bug.cgi?id=50026 The normal way to correctly implement this is to place the static content under a known, real location, and configure that in <url-pattern>. Alternatively, a filter can be used to detect static references and forward them to the DefaultServlet. One could also use the appropriate suffix notation in the <url-pattern> to direct requests to the DefaultServlet. - Chuck -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
