-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
All,
On 2/4/2011 9:05 PM, Mark Thomas wrote:
> All users are recommended to upgrade to a Tomcat version with the
> work-around. Users unable to upgrade can filter malicious requests via a
> Servlet filter, an httpd re-write rule (if Tomcat is behind an httpd
> reverse proxy) or other filtering as available.
For those who might need a bit of help implementing a workaround, here
is one that uses mod_rewrite to kill these kinds of requests:
RewriteCond "%{HTTP:Accept-Language}" "q=[0-9.]{10,}"
RewriteRule .* / [L,E=no-jk:1,R=400]
I chose "10" arbitrarily as the cutoff for the quality indicator, and
"400 Bad Request" as the response. Technically, this is a redirect but
it relies with a 400 status code. I also have the "no-jk" environment
variable set which will cause mod_jk to ignore such requests. It's not
really necessary, but it doesn't hurt.
Hope that helps,
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk1RxGoACgkQ9CaO5/Lv0PB4YgCfThXixGpMpteEtfiS5OLYTJ0m
aa0AoK41TD8WN7axo/glJqKKHbPp2JeT
=EoY2
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
