Bill Higgins wrote: > We have a servlet that acts as a proxy to other URLs from different > origins. E.g. via your web app you could get to the Google home page > via a URL like: > > http://localhost/myapp/proxy/http%3A%2F%2Fwww.google.com%2F > > Using this URL pattern, we immediately hit the Tomcat "noSlash" > restriction (Directory traversal CVE-2007-0450) and in order for our > proxy to work we have to set the environment variable > org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH to true.
A better workaround might be to pass the required URL as a query parameter. > I have more questions on how to respond to this Tomcat behavior, but > I'm hoping someone could provide more input on the rationale behind > the current fix for CVE-2007-0450 to provide additional context for my > other questions. I've been back over the private discussions that took place at the time. The aim was to provide a fix without breaking the existing functionality. There was no debate around changing the existing functionality, nor the correctness of it. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
