tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Harish Krishnan <harish....@gmail.com>
Subject Re: Question about your recent security (CVE-2015-5345) fix in 7.0.68 build
Date Thu, 17 Mar 2016 23:12:13 GMT
Thanks a lot for the clear explanation, Mark. I have all my questions
answered, appreciate your help & you guys are Great!
My apologies for the previous follow-up emails, I am still a novice in
tomcat & failed in understanding the exact fix quicker.


regards
Harish Krishnan

On Wed, Mar 16, 2016 at 4:38 AM, Mark Thomas <markt@apache.org> wrote:

> On 15/03/2016 20:58, Harish Krishnan wrote:
> > Hello There,
> >
> >  I am kind of blocked here in my project while applying your CVE fix in
> our
> > product & verify the fix. Any guidelines on what i am doing (mentioned in
> > my previous email) wrong is highly appreciated.
>
> You are failing to follow the hints you have been given previously.
>
> > All i am trying to do is, disable the redirect for the root (Ex:
> /manager &
> > /examples in tomcat) of the webapp. If i know how to do this on the
> > mentioned tomcat webapps, then i can apply the same for my webapps too.
> > Looking for your response & help here.
>
> You CAN NOT disable the redirect. As the documentation for the two
> redirect options makes clear, all they do is change WHERE the redirect
> happens.
>
> The key point in all of this is that security constraints are applied
> AFTER the Mapper and BEFORE the DefaultServlet. If the request is for a
> protected resource and the redirects take place in the Mapper, then the
> response will confirm whether that resource exists irrespective of
> whether or not the user is authorized to access the resource. If the
> redirect takes place in the Default Servlet, the response will reflect
> the security constraints and the user's access rights if any.
>
> Again, you need to look at the security constraints for the Manager
> application. /manager is NOT a protected resource so the redirect is
> always going to happen.
>
> Mark
>
>
> >
> >
> > regards
> > Harish Krishnan
> >
> > On Fri, Mar 11, 2016 at 4:05 PM, Harish Krishnan <harish.kmp@gmail.com>
> > wrote:
> >
> >> Thanks again for the reply, Chris & Violeta!
> >> Thanks for clarifying what the "protected directory" is, even i guessed
> it
> >> to be same. Now i understood the fix for the directories protected by a
> >> security constraint. I also verified this & the redirect is no more
> >> happening for these protected ones. Really appreciate your help here.
> >>
> >> However, i am still unable to disable the redirect for the root of the
> >> webapp. This is what i did on the latest tomcat build (7.0.68) -
> >>
> >> a) Set the context attribute (mapperContextRootRedirectEnabled) to false
> >> for manager webapp. Here is my context.xml (from
> >> \webapps\manager\META-INF\) file -
> >>
> >> <Context mapperContextRootRedirectEnabled="false"
> >> antiResourceLocking="false" privileged="true" >
> >>  </Context>
> >>
> >> b) Accessing http://localhost:8080/manager gets redirected to manger/.
> >>
> >> c) I have also set the above context attribute in the default
> context.xml
> >> (from \conf\context.xml) file as well.
> >>
> >> d) Accessing http://localhost:8080/examples gets redirected to
> examples/.
> >>
> >> Not sure what i am missing here. Same behavior is seen on my web
> >> application too.
> >> Please let me know where i am doing wrong & help me on how to disable
> the
> >> redirect for the root of webapps.
> >>
> >>
> >> regards
> >> Harish Krishnan
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >> On Wed, Mar 9, 2016 at 7:29 AM, Christopher Schultz <
> >> chris@christopherschultz.net> wrote:
> >>
> >>> Harish,
> >>>
> >>> On 3/8/16 5:47 PM, Harish Krishnan wrote:
> >>>> Thanks Chris for the reply.
> >>>> Looks like my understanding of the fix is incorrect.
> >>>> I assumed (my bad) that, with the fix for this CVE in place (tomcat
> >>>> 7.0.68) + setting the additional context attribute
> >>>> (mapperContextRootRedirectEnabled="false"), all the redirects for that
> >>>> webapp where context attribute was set, will completely be disabled.
> >>>> You mentioned that only "protected directories" inside the deployed
> web
> >>>> application is covered in this CVE fix.
> >>>> Can you please help me understand what this protected directories are
> &
> >>> how
> >>>> to configure this in tomcat ?
> >>>
> >>> A "protected directory" is one that has a <security-constraint> in
> >>> web.xml. That's not a spec-defined term... just one we've been using
> >>> because it captures the meaning with fewer words.
> >>>
> >>> As for the redirects you are seeing that "expose" the availability of a
> >>> particular web application, those are essentially impossible to
> prevent,
> >>> and not considered a part of the CVE.
> >>>
> >>> -chris
> >>>
> >>> ---------------------------------------------------------------------
> >>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >>> For additional commands, e-mail: users-help@tomcat.apache.org
> >>>
> >>>
> >>
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message