tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject Re: Using encoded slashes safely
Date Tue, 28 Apr 2009 07:19:53 GMT
Bill Higgins wrote:
> We have a servlet that acts as a proxy to other URLs from different
> origins. E.g. via your web app you could get to the Google home page
> via a URL like:
> 
> http://localhost/myapp/proxy/http%3A%2F%2Fwww.google.com%2F
> 
> Using this URL pattern, we immediately hit the Tomcat "noSlash"
> restriction (Directory traversal CVE-2007-0450) and in order for our
> proxy to work we have to set the environment variable
> org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH to true.

A better workaround might be to pass the required URL as a query parameter.

> I have more questions on how to respond to this Tomcat behavior, but
> I'm hoping someone could provide more input on the rationale behind
> the current fix for CVE-2007-0450 to provide additional context for my
> other questions.

I've been back over the private discussions that took place at the time. The aim
was to provide a fix without breaking the existing functionality. There was no
debate around changing the existing functionality, nor the correctness of it.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message