tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jason Hunter <jhun...@acm.org>
Subject Re: Tomcat 3.2.3 and getPathInfo
Date Mon, 27 Aug 2001 05:24:30 GMT
> > > This is even worse because we also won't allow the URL to be
> > encoded like
> > >
> > > http://localhost:8080/servlet/SnoopServlet/http:%2F%2Ffubar
> > >
> > > because we make some rather draconian precautions to ensure that nastily
> > > encoded URLs can't obtain access to protected resources (or
> > even resources
> > > outside the webapp).
> >
> > Hmm... I wonder if Tomcat has the right to make illegal what HTTP would
> > allow?
> 
> As I recall, our constraints were basically lifted from the Apache HTTP
> server.  Our rationale was that it was far better to preclude some odd URLs
> than to leave open the possibility that files outside the web application
> could be accessed via the container.  This was a *really* bad security hole.

So what does the Apache Web Server do for PATH_INFO on a request to
http://foo.com/cgi-bin/somecgi/http://extra.com?

-jh-

Mime
View raw message