https://issues.apache.org/bugzilla/show_bug.cgi?id=50026
--- Comment #11 from bozho <gl...@abv.bg> 2010-10-26 13:38:27 EDT ---
Instead of disallowing the whole remapping of the default servlet, can't this
be implemented (as suggested) by using the getPathInfo(). for example:
String pathInfo = request.getPathInfo();
if (pathInfo.startsWith("WEB-INF") || pathInfo.startsWith("META-INF")) {
// disallow, send 404
} else {
proceed normally
}
This would mean that nothing existing would be broken, while the security hole
will be fixed.
And there are actual reasons for remapping the default servlet. For example
spring MVC prefers to have its servlet mapped to /, and static resources be
served from a different path - say /static
I'm aware that this can be worked around by a Filter, or placing the static
resources in a new app, or perhaps some more ways, but why should these be
needed, when a simple mapping could do?
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
