This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/master by this push:
new 13e4ed3 Update the security how-to to reflect the reduction in system
properties
13e4ed3 is described below
commit 13e4ed380dec4a1b276fe23e8c1a7e80e0a271ec
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Wed Apr 1 11:53:28 2020 +0100
Update the security how-to to reflect the reduction in system properties
---
webapps/docs/security-howto.xml | 35 +++++++++++++++++------------------
1 file changed, 17 insertions(+), 18 deletions(-)
diff --git a/webapps/docs/security-howto.xml b/webapps/docs/security-howto.xml
index fbdb9d7..0eddda6 100644
--- a/webapps/docs/security-howto.xml
+++ b/webapps/docs/security-howto.xml
@@ -261,6 +261,11 @@
address a connector listens on for connections. By default, a connector
listens on all configured IP addresses.</p>
+ <p>The <strong>allowBackslash</strong> attribute allows non-standard
+ parsing of the request URI. Setting this attribute to a non-default value
+ when behind a reverse proxy may enable an attacker to bypass any security
+ constraints enforced by the proxy.</p>
+
<p>The <strong>allowTrace</strong> attribute may be used to enable TRACE
requests which can be useful for debugging. Due to the way some browsers
handle the response from a TRACE request (which exposes the browser to an
@@ -271,6 +276,18 @@
the default value, and this reduces the chances of a bug in an
application exposing data from one request to another.</p>
+ <p>The <strong>encodedSolidusHandling</strong> attribute allows
+ non-standard parsing of the request URI. Setting this attribute to a
+ non-default value when behind a reverse proxy may enable an attacker to
+ bypass any security constraints enforced by the proxy.</p>
+
+ <p>The <strong>enforceEncodingInGetWriter</strong> attribute has security
+ implications if set to <code>false</code>. Many user agents, in breach of
+ RFC 7230, try to guess the character encoding of text media types when
the
+ specification-mandated default of ISO-8859-1 should be used. Some
browsers
+ will interpret as UTF-7 a response containing characters that are safe
for
+ ISO-8859-1 but trigger an XSS vulnerability if interpreted as UTF-7.</p>
+
<p>The <strong>maxPostSize</strong> attribute controls the maximum size
of a POST request that will be parsed for parameters. The parameters are
cached for the duration of the request so this is limited to 2MB by
@@ -465,24 +482,6 @@
</subsection>
</section>
- <section name="System Properties">
- <p>The <strong>
- org.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH</strong> and
- <strong>org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH</strong>
- system properties allow non-standard parsing of the request URI. Using
- these options when behind a reverse proxy may enable an attacker to bypass
- any security constraints enforced by the proxy.</p>
-
- <p>The <strong>
- org.apache.catalina.connector.Response.ENFORCE_ENCODING_IN_GET_WRITER
- </strong> system property has security implications if disabled. Many user
- agents, in breach of RFC2616, try to guess the character encoding of text
- media types when the specification-mandated default of ISO-8859-1 should be
- used. Some browsers will interpret as UTF-7 a response containing
characters
- that are safe for ISO-8859-1 but trigger an XSS vulnerability if
interpreted
- as UTF-7.</p>
- </section>
-
<section name="web.xml">
<p>This applies to the default <code>conf/web.xml</code> file, the
<code>/WEB-INF/tomcat-web.xml</code> and the <code>/WEB-INF/web.xml</code>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
