Return-Path: 
 <tomcat-user-return-41311-apmail-jakarta-tomcat-user-archive=jakarta.apache.org@jakarta.apache.org>
Delivered-To: apmail-jakarta-tomcat-user-archive@jakarta.apache.org
Received: (qmail 32086 invoked by uid 500); 16 Jul 2001 23:21:03 -0000
Mailing-List: contact tomcat-user-help@jakarta.apache.org; run by ezmlm
Precedence: bulk
Reply-To: tomcat-user@jakarta.apache.org
list-help: <mailto:tomcat-user-help@jakarta.apache.org>
list-unsubscribe: <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
list-post: <mailto:tomcat-user@jakarta.apache.org>
Delivered-To: mailing list tomcat-user@jakarta.apache.org
Received: (qmail 32077 invoked from network); 16 Jul 2001 23:21:03 -0000
Received: from h32.sny.collab.net (HELO icarus.apache.org) (64.208.42.42)
  by h31.sny.collab.net with SMTP; 16 Jul 2001 23:21:03 -0000
Received: (qmail 59770 invoked by uid 1059); 16 Jul 2001 23:20:20 -0000
Received: from localhost (sendmail-bs@127.0.0.1)
  by localhost with SMTP; 16 Jul 2001 23:20:20 -0000
Date: Mon, 16 Jul 2001 16:20:20 -0700 (PDT)
From: "Craig R. McClanahan" <craigmcc@apache.org>
X-Sender: craigmcc@localhost
To: tomcat-user@jakarta.apache.org, noselasd@frisurf.no
Subject: Re: Need workaround for Tomcat security.
In-Reply-To: <01071523115900.09448@space.net>
Message-ID: <Pine.BSF.4.21.0107161616530.58873-100000@localhost>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=ISO-8859-1
Content-Transfer-Encoding: QUOTED-PRINTABLE
X-Spam-Rating: localhost 1.6.2 0/1000/N
X-Spam-Rating: h31.sny.collab.net 1.6.2 0/1000/N



On Sun, 15 Jul 2001, Nils O. Sel=E5sdal wrote:

> Ok, i needed to put some security constraints to a dircetory, so I added =
this=20
> to my web.xml:
>  <security-constraint>
>       <display-name>UQoS Amin Area</display-name>
>       <web-resource-collection>
>          <web-resource-name>UQoS Amin Area</web-resource-name>
>            <url-pattern>/admin/*</url-pattern>
>       </web-resource-collection>
> I use BASIC authentication using the memory realm.
> Works like it supposed to when someone goes to my http://xxx/webapp/Admin=
/ or=20
> something below, HOWEVER, if they type http://xxx/webapp//Admin/ (or even=
=20
> more slashes), all security checkings are bypassed, anyone arr let right =
in !
> (same things happens always, try it with the 'security' example shipped w=
ith=20
> Tomcat.
> Sever bug!, I have posted it to BugZilla. This applies to atleast Tomcat=
=20
> 3.2.1 and 3.2.2.=20
> And I need it fixedas soon as possible. Does anyone know a workaround to=
=20
> thisone.(I'd rather not upgrade to Tomcat 4 yet,seems like its fixed here=
=2E)

It's not completely fixed in 4 -- some request URI paths still let you in.

> --=20
> Nils O. Sel=E5sdal
>=20

Yep ... it is a serious bug, affecting all versions of Tomcat, and there
is no workaround.  The problem relates to the fact that "normalization" of
the request URI (i.e. removing "//" and "/./", and compacting "/../") is
not being performed consistently.  This is going to be fixed (in all
versions) such that the request URI received by the server will be
normalized *before* being used to map to a servlet, or to select a
security constraint.  As a side effect, the value returned when you call
request.getRequestURI() will always be normalized.

Look for announcements of the availability of patched versions shortly.

Craig McClanahan