https://bz.apache.org/bugzilla/show_bug.cgi?id=60594
--- Comment #23 from Coty Sutherland <csuth...@redhat.com> --- (In reply to Mark Thomas from comment #22) > You mean '<' and '>' ? Yes. > There is always the risk that unexpected reverse proxy behaviour will > trigger a CVE-2016-6816 like issue but that risks exists for any > white-listed character that should really be encoded. > > I don't see it affecting the URL parsing in Tomcat. > > If the undecoded URL is used in any XML like output it is likely to break > it. But any user that is using '<' and '>' will be facing that problem > already. > > They look to be higher risk in terms of breaking stuff, but not in a > security sense. > > +1 to your approach. OK, cool. Would we want to add them to tomcat then? It's a small code change, so I have no problems with Fedora/RHEL diverging a bit here if we don't want them. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
