-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
All,
On 2/8/2011 5:32 PM, Christopher Schultz wrote:
> All,
>
> On 2/4/2011 9:05 PM, Mark Thomas wrote:
>> All users are recommended to upgrade to a Tomcat version with the
>> work-around. Users unable to upgrade can filter malicious requests via a
>> Servlet filter, an httpd re-write rule (if Tomcat is behind an httpd
>> reverse proxy) or other filtering as available.
>
> For those who might need a bit of help implementing a workaround, here
> is one that uses mod_rewrite to kill these kinds of requests:
>
> RewriteCond "%{HTTP:Accept-Language}" "q=[0-9.]{10,}"
> RewriteRule .* / [L,E=no-jk:1,R=400]
If mod_rewrite isn't your style, you can also use SetEnvIf:
SetEnvIf "Accept-Language" "q=[0-9.]{10,}" no-jk=1
This will likely result in a 404 response to the client, but at least
the request will not be sent to Tomcat.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk1RxjwACgkQ9CaO5/Lv0PB1UwCggDvGoXmCBMFQY5hpvE+rzbgD
eiUAoJ6z507Co0cJ3EHnZN0OsRRWHMDL
=OcRo
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
