On 24/03/2011 15:52, Francis GALIEGUE wrote: > [o3@tomcat-r8 cockpit]$ wget -O - -nv --http-user=tomcat > --http-password=tomcat > http://localhost:8080/manager/text/deploy'?path=/../cockpit&war=file:/var/lib/o3/tomcat/installs/cockpit' > OK - Deployed application at context path /../cockpit > 2011-03-24 16:49:14 > URL:http://localhost:8080/manager/text/deploy?path=/../cockpit&war=file:/var/lib/o3/tomcat/installs/cockpit > [54] -> "-" [1] > [o3@tomcat-r8 cockpit]$ wget -O - -nv --http-user=tomcat > --http-password=tomcat http://localhost:8080/manager/text/list > OK - Listed applications for virtual host localhost > /manager:running:2:/usr/share/tomcat7/webapps/manager > /../cockpit:running:0:..#cockpit > 2011-03-24 16:49:18 URL:http://localhost:8080/manager/text/list [139] -> "-" > [1] > > Strange that a path with a .. in it should be accepted imho...
The only validation done is that the path is either zero length or starts with a '/'. Anything else is permitted. Could the validation be stricter? Sure. But in this case all you get (if I a reading the code correctly) is an application that will never have a request mapped to it since requests are normalised before mapping. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
