- Bypassing a security contraints, eg:index.jsp is protected but / isn't
- Vulnerabilities - Through a wacky optimizations, other pages might get accidently exposed
- It breaks the spec for a different case
Odds are - none of these happen with the patches, but when others don't review these conditions is when 'oops' slip through.
-Tim
neal wrote:
What are the security problems and why doesn't Apache or other major web servers have this problem (or do they)?If this is made optional (with the default turned off) is the problem with it breaking an app ... really a problem? -----Original Message----- From: Remy Maucherat [mailto:[EMAIL PROTECTED]] Sent: Monday, February 17, 2003 1:58 AM To: Tomcat Developers List Subject: Re: Request to Fix Tomcat Standalone 302 redirect Issue Bill Barker wrote:----- Original Message ----- From: "neal" <[EMAIL PROTECTED]> To: "Tomcat Developers List" <[EMAIL PROTECTED]> Sent: Sunday, February 16, 2003 8:00 PM Subject: RE: Request to Fix Tomcat Standalone 302 redirect IssueSo it *will* be in tomcat 5? My head is spinning...so confusing. How does one access o.a.t.u.http.mapper.Mapper? Is this something thatwillbe configurable via web.xml?It will be in configurable in 'server.xml' (or, at least it will be when I do my next commit :).Good, the code looks like as if I had written it myself :) However, it poses the usual security problems, and breaks the admin webapp. Remy --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
