tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig R. McClanahan" <craig...@apache.org>
Subject Re: Request to Fix Tomcat Standalone 302 redirect Issue
Date Mon, 17 Feb 2003 17:34:00 GMT


On Mon, 17 Feb 2003, Donald Ball wrote:

> Date: Mon, 17 Feb 2003 11:44:16 -0500
> From: Donald Ball <dball@rhoworld.com>
> Reply-To: Tomcat Developers List <tomcat-dev@jakarta.apache.org>
> To: Tomcat Developers List <tomcat-dev@jakarta.apache.org>
> Subject: Re: Request to Fix Tomcat Standalone 302 redirect Issue
>
> Tim Funk wrote:
>
> > A patch (which I didn't look at yet) could introduce the following:
> > - Bypassing a security contraints, eg:index.jsp is protected but / isn't
> > - Vulnerabilities - Through a wacky optimizations, other pages might
> > get accidently exposed
>
>
> Just curious... I assume the patch uses RequestDispatcher.forward to
> handle the request, right? But these checks should already be done by
> the RequestDispatcher, otherwise _anything_ that uses rd.forward could
> break security. So if we trust rd, what's the issue? If we don't, um,
> why _not_?
>

Security constraints are only checked on the original request URL, not on
RD.forward or RD.include calls -- the container assumes that the
application knows what it is doing in executing those calls within the
app.

If the container wants to use RD (or the internal equivalent) to implement
welcome file support, or other container level features like error files,
it had better pay attention to the security constraints.

> - donald

Craig

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org


Mime
View raw message