tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Mitigating AJP CPing/Forward-Request packet forgery before next releases
Date Thu, 08 Sep 2011 15:13:34 GMT

Mark's official report to the users' list indicates that setting a
"secret" for the AJP connection does the trick. (I tried this myself
before digging-up his message and can confirm that the sample code fails
when a "secret" is set).

Should we mention this on the Security page directly for those who
didn't read the announcement on the users' list?


View raw message