Thanks for the reply, Mark.
Unfortunately, i still could not verify this vulnerability as it still
appears not fixed & my requests get redirected.
Instead of using the manager webapp that comes default in tomcat, we
created a sample webapp with the following security constraint -
<web-app id="demo">
<welcome-file-list>
<welcome-file>hello.html</welcome-file>
</welcome-file-list>
<security-constraint>
<web-resource-collection>
<web-resource-name>sercure-hello</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
</web-app>
Accessing http://localhost:8080/a (which exist) gets redirected to
http://localhost:8080/a/ & then get 404.
Accessing http://localhost:8080/b (does not exist) simply gets 404.
I have set the context attribute (mapperContextRootRedirectEnabled) as well
-
<Context mapperContextRootRedirectEnabled="false"
antiResourceLocking="false" privileged="true">
<!--
Remove the comment markers from around the Valve below to limit access
to
the manager application to clients connecting from localhost
-->
<!--
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />
-->
</Context>
My question simply boils down to, What additional setting i need to do for
the above redirect to NOT happen.
Thanks for your help.
regards
Harish Krishnan
On Mon, Mar 7, 2016 at 12:42 PM, Mark Thomas <ma...@apache.org> wrote:
> On 07/03/2016 20:23, Harish Krishnan wrote:
> > Hi There,
> >
> > I am verifying the fix that you made for CVE-2015-5345 & it appears to
> be
> > not fixed. I might be doing something wrong & hence sending out this
> email
> > to you.
> > All i did was,
> > a) Downloaded & installed the latest tomcat build 7.0.68.
> > b) Added the following context attribute to manager webapp just for
> testing
> > -
> > File: $CATALINA_HOME\webapps\manager\META-INF\context.xml
> > <Context mapperContextRootRedirectEnabled="false"
> > antiResourceLocking="false" privileged="true">
> > c) When i access http://localhost/8080/manager/images, it still gets
> > redirected to /images/ there by confirming the folder location. Same
> thing
> > happens when accessing /manager/index.jsp too.
> >
> > Am i missing anything here ?
>
> Yes. Look at the security constraints defined for the Manager application.
>
> Mark
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
