-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

All,

On 2/4/2011 9:05 PM, Mark Thomas wrote:
> All users are recommended to upgrade to a Tomcat version with the
> work-around. Users unable to upgrade can filter malicious requests via a
> Servlet filter, an httpd re-write rule (if Tomcat is behind an httpd
> reverse proxy) or other filtering as available.

For those who might need a bit of help implementing a workaround, here
is one that uses mod_rewrite to kill these kinds of requests:

        RewriteCond "%{HTTP:Accept-Language}" "q=[0-9.]{10,}"
        RewriteRule .* / [L,E=no-jk:1,R=400]

I chose "10" arbitrarily as the cutoff for the quality indicator, and
"400 Bad Request" as the response. Technically, this is a redirect but
it relies with a 400 status code. I also have the "no-jk" environment
variable set which will cause mod_jk to ignore such requests. It's not
really necessary, but it doesn't hurt.

Hope that helps,
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk1RxGoACgkQ9CaO5/Lv0PB4YgCfThXixGpMpteEtfiS5OLYTJ0m
aa0AoK41TD8WN7axo/glJqKKHbPp2JeT
=EoY2
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to