William A. Rowe, Jr. wrote:
Mladen Turk wrote:
Remy Maucherat wrote:
Tomcat permits both '\' and '%5C' as path delimiters. When Tomcat is
used behind a proxy (including, but not limited to, Apache HTTP server
with mod_proxy and mod_jk) configured to only proxy some contexts, a
HTTP request cont
Mladen Turk wrote:
> Remy Maucherat wrote:
>>
>> Tomcat permits both '\' and '%5C' as path delimiters. When Tomcat is
>> used behind a proxy (including, but not limited to, Apache HTTP server
>> with mod_proxy and mod_jk) configured to only proxy some contexts, a
>> HTTP request containing strings
Mladen Turk wrote:
Remy Maucherat wrote:
Tomcat permits both '\' and '%5C' as path delimiters. When Tomcat is
used behind a proxy (including, but not limited to, Apache HTTP server
with mod_proxy and mod_jk) configured to only proxy some contexts, a
HTTP request containing strings like "/\..
Remy Maucherat wrote:
Tomcat permits both '\' and '%5C' as path delimiters. When Tomcat is
used behind a proxy (including, but not limited to, Apache HTTP server
with mod_proxy and mod_jk) configured to only proxy some contexts, a
HTTP request containing strings like "/\../" may allow attacke
+1, Jep, this explain better the real problem :-)
Peter
Am 20.03.2007 um 15:10 schrieb Remy Maucherat:
Remy Maucherat wrote:
-1 for the report summary posted at:
http://tomcat.apache.org/security-4.html
http://tomcat.apache.org/security-5.html
http://tomcat.apache.org/security-6.html
It is
Hi,
On 3/20/07, Remy Maucherat <[EMAIL PROTECTED]> wrote:
Due to the impossibility to guarantee that all URLs are handled by
Tomcat as they are in proxy servers, Tomcat should always be secured as
if no proxy restricting context access was used.
Comments ?
+1 to your reworked text, I like it.
Remy Maucherat wrote:
-1 for the report summary posted at:
http://tomcat.apache.org/security-4.html
http://tomcat.apache.org/security-5.html
http://tomcat.apache.org/security-6.html
It is highly misleading.
(moving to dev list since it's obviously not confidential)
In particular, the beginnin
