-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Harish,
On 3/7/16 6:02 PM, Harish Krishnan wrote: > Unfortunately, i still could not verify this vulnerability as it > still appears not fixed & my requests get redirected. What makes you think that the requests should not be redirected? > Instead of using the manager webapp that comes default in tomcat, > we created a sample webapp with the following security constraint > - <web-app id="demo"> <welcome-file-list> > <welcome-file>hello.html</welcome-file> </welcome-file-list> > <security-constraint> <web-resource-collection> > <web-resource-name>sercure-hello</web-resource-name> > <url-pattern>/*</url-pattern> </web-resource-collection> > <user-data-constraint> > <transport-guarantee>NONE</transport-guarantee> > </user-data-constraint> </security-constraint> </web-app> > > Accessing http://localhost:8080/a (which exist) gets redirected to > http://localhost:8080/a/ & then get 404. Accessing > http://localhost:8080/b (does not exist) simply gets 404. Where did you deploy this sample web application? > I have set the context attribute (mapperContextRootRedirectEnabled) > as well - <Context mapperContextRootRedirectEnabled="false" > antiResourceLocking="false" privileged="true"> <!-- Remove the > comment markers from around the Valve below to limit access to the > manager application to clients connecting from localhost --> <!-- > <Valve className="org.apache.catalina.valves.RemoteAddrValve" > allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" /> --> </Context> > > My question simply boils down to, What additional setting i need to > do for the above redirect to NOT happen. Which redirect? A redirect for a protected directory inside of a deployed web application (which is what this CVE covers) or the redirect for a deployed web application (which is not what this CVE covers)? - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlbe9twACgkQ9CaO5/Lv0PBaqQCeMMYqM8+hPnekw1NM8I5NNa0J uaQAn2Kp35FIKikIFfZdlao4Un1NCNGe =/uiq -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
