Return-Path: Delivered-To: apmail-tomcat-dev-archive@www.apache.org Received: (qmail 97998 invoked from network); 16 May 2007 11:49:36 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 16 May 2007 11:49:36 -0000 Received: (qmail 43261 invoked by uid 500); 16 May 2007 11:49:35 -0000 Delivered-To: apmail-tomcat-dev-archive@tomcat.apache.org Received: (qmail 43210 invoked by uid 500); 16 May 2007 11:49:34 -0000 Mailing-List: contact dev-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Developers List" Delivered-To: mailing list dev@tomcat.apache.org Received: (qmail 43199 invoked by uid 99); 16 May 2007 11:49:34 -0000 Received: from herse.apache.org (HELO herse.apache.org) (140.211.11.133) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 16 May 2007 04:49:34 -0700 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (herse.apache.org: domain of jfclere@gmail.com designates 66.249.82.226 as permitted sender) Received: from [66.249.82.226] (HELO wx-out-0506.google.com) (66.249.82.226) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 16 May 2007 04:49:27 -0700 Received: by wx-out-0506.google.com with SMTP id i26so152863wxd for ; Wed, 16 May 2007 04:49:07 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:subject:from:to:in-reply-to:references:content-type:date:message-id:mime-version:x-mailer:content-transfer-encoding; b=KUqTyJihwJC+h/1GS1zo81TqEuyzTrVUode9peHhQCLNgIUFqUj9kGQ1z4bU2A6v/I7iRKTOhcUjbRyfi9BfL5yXN0hecFWGfQxBEOnN1+u9P5vG7c+fyudjp3Ah8h1bUI3Y5r5mFXuWB5ATeJMo9kfJIfAWhNI4FHm7taUJpTA= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:subject:from:to:in-reply-to:references:content-type:date:message-id:mime-version:x-mailer:content-transfer-encoding; b=J/gT1XIvKt7+yWf3QqxNhclO4kOBuTvUFFqifXnTzwAhHwVgvTyD4L0SctWNV3NKwlxIUVd3FEpu793WeH4BcWBqOKj5goGrHmeqGpjuo3AlDDV6qK7opsIRyeGI0skqUrn77ewHjBSSmwyAl0pkirVTzOBg6g1EtMt5ZhZZmBU= Received: by 10.90.78.9 with SMTP id a9mr7773386agb.1179316147361; Wed, 16 May 2007 04:49:07 -0700 (PDT) Received: from ?192.168.4.143? ( [212.249.12.130]) by mx.google.com with ESMTP id 61sm3156190wry.2007.05.16.04.49.05; Wed, 16 May 2007 04:49:05 -0700 (PDT) Subject: Re: Changing JK_OPT_FWDURIDEFAULT to JK_OPT_FWDURICOMPATUNPARSED From: Jean-Frederic To: Tomcat Developers List In-Reply-To: <464AE83B.1010103@kippdata.de> References: <1179244805.3813.35.camel@jfcpc> <4649E1DC.704@kippdata.de> <1179297592.3824.9.camel@jfcpc> <464AE83B.1010103@kippdata.de> Content-Type: text/plain Date: Wed, 16 May 2007 13:49:55 +0200 Message-Id: <1179316195.3824.30.camel@jfcpc> Mime-Version: 1.0 X-Mailer: Evolution 2.8.3 (2.8.3-2.fc6) Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org On Wed, 2007-05-16 at 13:17 +0200, Rainer Jung wrote: > >> Why do you think the default is bad? > > > > Because it breaks the spec's and allows unexpected handling of url that > > are encoded (for example: /context-A/%252E%252E/context-B that is send > > to Tomcat as /context-A/%2E%2E/context-B and mapped by Tomcat > > as /context-B). > > So what how do you suggest to handle a change. > > - Being secure by default, i.e. really changing the default in 1.2 and > putting a big note about it in the docs, the news page and maybe the > download README Yes I think that the correct option. Default values should always follow the spec's and be as secure as possible. Cheers Jean-Frederic > > or/and > > - Staying compatible in 1.2, changing in 1.3 but putting a big note in > the docs page about the options concerning the security relevance of the > options. > > Regards, > > Rainer > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org > For additional commands, e-mail: dev-help@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org For additional commands, e-mail: dev-help@tomcat.apache.org