tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Paths containing %2F instead of /
Date Fri, 02 Nov 2007 18:30:40 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

All,

One of the unit tests is failing in the securityfilter project which
uses Tomcat (5.5) and httpunit for the tests themselves.

Basically, a test written a loooong time ago seems to be failing after
the fix for a bug which involves decoding of %2F in a URL into a '/'.

Either through mod_jk or directly to Tomcat's HTTP connector, now, any
request that has a / replaced with a %2F will not work. I'm pretty sure
this was a security fix.

I was wondering if anyone could explain what the initial problem was,
why this was "fixed" and if it makes any sense for me to try to fix this
test in any meaningful way, or if it should be simply removed.

(And yes, I have read this:
http://tomcat.apache.org/security-5.html#Fixed in Apache Tomcat 5.5.22,
5.0.SVN. I still don't get it... shouldn't it work properly when using
the HTTP connector?)

Thanks,
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHK2zQ9CaO5/Lv0PARAum6AJ9J6r4TiKN3ZchTShHYfgTCUeq3UwCfX6Rz
tDz5wVwTx6tPdsV7e0YDL54=
=gPM3
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message