2009/7/22 Rémy Maucherat <remy.mauche...@gmail.com>: > On Wed, Jul 22, 2009 at 2:37 PM, Mark Thomas<ma...@apache.org> wrote: >> You'll need to provide more details. Nothing stands out from the security >> pages. >> >> Please provide step by step instructions to reproduce from a clean Tomcat >> installation. >> >> Please also note that potential security vulnerabilities should be reported >> privately (see http://tomcat.apache.org/security.html), rather than to a >> public >> list. Since you have posted to a public list, there is no point continuing in >> private. > > I don't think the host is used in HTML generated by Tomcat. OTOH, like > the other strings returned by the API, ServletRequest.getServerName is > not XSS filtered. >
At least, if there are concerns about that, there is a workaround: you can specify proxyName attribute on a <Connector> element in server.xml In that case the one that is in request will be ignored. Documentation is here: http://tomcat.apache.org/tomcat-6.0-doc/config/http.html http://tomcat.apache.org/tomcat-6.0-doc/config/ajp.html Best regards, Konstantin Kolinko --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
