tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rainer Jung <rainer.j...@kippdata.de>
Subject Re: %3B in path-info
Date Thu, 10 Apr 2008 23:58:49 GMT
Rémy Maucherat schrieb:
> On Fri, Apr 11, 2008 at 12:19 AM, Jess Holle <jessh@ptc.com> wrote:
>>  Done. [https://issues.apache.org/bugzilla/show_bug.cgi?id=44803]
> 
> Guys, you've been going crazy about a (known) security issue: CVE-2007-1860
> See http://tomcat.apache.org/security-jk.html
> 
> Rémy

Rémy,

I know that we cleaned reencoding of forwarded URLs up in the context of 
the CVE and mod_jk. The semicolon wasn't involved in the CVE though and 
at that time it would have been easier, if the AJP connectors had 
resolved %3Bjsessionid (because then we wouldn't have needed a new JK 
forward option).

Regards,

Rainer

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message