tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject Re: Mitigating AJP CPing/Forward-Request packet forgery before next releases
Date Thu, 08 Sep 2011 15:47:43 GMT
On 08/09/2011 16:13, Christopher Schultz wrote:
> All, https://issues.apache.org/bugzilla/show_bug.cgi?id=51698
> 
> Mark's official report to the users' list indicates that setting a 
> "secret" for the AJP connection does the trick. (I tried this
> myself before digging-up his message and can confirm that the
> sample code fails when a "secret" is set).
> 
> Should we mention this on the Security page directly for those who 
> didn't read the announcement on the users' list?

No reason why not. Go for it.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message