Thanks Chris for the reply. Looks like my understanding of the fix is incorrect. I assumed (my bad) that, with the fix for this CVE in place (tomcat 7.0.68) + setting the additional context attribute (mapperContextRootRedirectEnabled="false"), all the redirects for that webapp where context attribute was set, will completely be disabled. You mentioned that only "protected directories" inside the deployed web application is covered in this CVE fix. Can you please help me understand what this protected directories are & how to configure this in tomcat ?
regards Harish Krishnan On Tue, Mar 8, 2016 at 7:59 AM, Christopher Schultz < ch...@christopherschultz.net> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Harish, > > On 3/7/16 6:02 PM, Harish Krishnan wrote: > > Unfortunately, i still could not verify this vulnerability as it > > still appears not fixed & my requests get redirected. > > What makes you think that the requests should not be redirected? > > > Instead of using the manager webapp that comes default in tomcat, > > we created a sample webapp with the following security constraint > > - <web-app id="demo"> <welcome-file-list> > > <welcome-file>hello.html</welcome-file> </welcome-file-list> > > <security-constraint> <web-resource-collection> > > <web-resource-name>sercure-hello</web-resource-name> > > <url-pattern>/*</url-pattern> </web-resource-collection> > > <user-data-constraint> > > <transport-guarantee>NONE</transport-guarantee> > > </user-data-constraint> </security-constraint> </web-app> > > > > Accessing http://localhost:8080/a (which exist) gets redirected to > > http://localhost:8080/a/ & then get 404. Accessing > > http://localhost:8080/b (does not exist) simply gets 404. > > Where did you deploy this sample web application? > > > I have set the context attribute (mapperContextRootRedirectEnabled) > > as well - <Context mapperContextRootRedirectEnabled="false" > > antiResourceLocking="false" privileged="true"> <!-- Remove the > > comment markers from around the Valve below to limit access to the > > manager application to clients connecting from localhost --> <!-- > > <Valve className="org.apache.catalina.valves.RemoteAddrValve" > > allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" /> --> </Context> > > > > My question simply boils down to, What additional setting i need to > > do for the above redirect to NOT happen. > > Which redirect? A redirect for a protected directory inside of a > deployed web application (which is what this CVE covers) or the > redirect for a deployed web application (which is not what this CVE > covers)? > > - -chris > -----BEGIN PGP SIGNATURE----- > Comment: GPGTools - http://gpgtools.org > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iEYEARECAAYFAlbe9twACgkQ9CaO5/Lv0PBaqQCeMMYqM8+hPnekw1NM8I5NNa0J > uaQAn2Kp35FIKikIFfZdlao4Un1NCNGe > =/uiq > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
