Hi Harish, 2016-03-09 0:47 GMT+02:00 Harish Krishnan <harish....@gmail.com>: > > Thanks Chris for the reply. > Looks like my understanding of the fix is incorrect. > I assumed (my bad) that, with the fix for this CVE in place (tomcat > 7.0.68) + setting the additional context attribute > (mapperContextRootRedirectEnabled="false"), all the redirects for that > webapp where context attribute was set, will completely be disabled. > You mentioned that only "protected directories" inside the deployed web > application is covered in this CVE fix. > Can you please help me understand what this protected directories are & how > to configure this in tomcat ?
As Mark already pointed, look at the web.xml of Manager application -> security constraints sections. Also you may find the following link [1] useful. Regards, Violeta [1] https://docs.oracle.com/cd/E19798-01/821-1841/bncbk/index.html > > regards > Harish Krishnan > > On Tue, Mar 8, 2016 at 7:59 AM, Christopher Schultz < > ch...@christopherschultz.net> wrote: > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > Harish, > > > > On 3/7/16 6:02 PM, Harish Krishnan wrote: > > > Unfortunately, i still could not verify this vulnerability as it > > > still appears not fixed & my requests get redirected. > > > > What makes you think that the requests should not be redirected? > > > > > Instead of using the manager webapp that comes default in tomcat, > > > we created a sample webapp with the following security constraint > > > - <web-app id="demo"> <welcome-file-list> > > > <welcome-file>hello.html</welcome-file> </welcome-file-list> > > > <security-constraint> <web-resource-collection> > > > <web-resource-name>sercure-hello</web-resource-name> > > > <url-pattern>/*</url-pattern> </web-resource-collection> > > > <user-data-constraint> > > > <transport-guarantee>NONE</transport-guarantee> > > > </user-data-constraint> </security-constraint> </web-app> > > > > > > Accessing http://localhost:8080/a (which exist) gets redirected to > > > http://localhost:8080/a/ & then get 404. Accessing > > > http://localhost:8080/b (does not exist) simply gets 404. > > > > Where did you deploy this sample web application? > > > > > I have set the context attribute (mapperContextRootRedirectEnabled) > > > as well - <Context mapperContextRootRedirectEnabled="false" > > > antiResourceLocking="false" privileged="true"> <!-- Remove the > > > comment markers from around the Valve below to limit access to the > > > manager application to clients connecting from localhost --> <!-- > > > <Valve className="org.apache.catalina.valves.RemoteAddrValve" > > > allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" /> --> </Context> > > > > > > My question simply boils down to, What additional setting i need to > > > do for the above redirect to NOT happen. > > > > Which redirect? A redirect for a protected directory inside of a > > deployed web application (which is what this CVE covers) or the > > redirect for a deployed web application (which is not what this CVE > > covers)? > > > > - -chris > > -----BEGIN PGP SIGNATURE----- > > Comment: GPGTools - http://gpgtools.org > > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > > > iEYEARECAAYFAlbe9twACgkQ9CaO5/Lv0PBaqQCeMMYqM8+hPnekw1NM8I5NNa0J > > uaQAn2Kp35FIKikIFfZdlao4Un1NCNGe > > =/uiq > > -----END PGP SIGNATURE----- > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > For additional commands, e-mail: users-h...@tomcat.apache.org > > > >
