This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/9.0.x by this push:
new 57d059c6e1 Expand the description of the security implications of some
settings
57d059c6e1 is described below
commit 57d059c6e1276c7ea70662778c720ba5440c8188
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Thu Jan 16 17:00:28 2025 +0000
Expand the description of the security implications of some settings
Specifically,setting mapperContextRootRedirectEnabled and/or
mapperDirectoryRedirectEnabled to true
---
webapps/docs/changelog.xml | 10 ++++++++++
webapps/docs/config/context.xml | 20 ++++++++++++++------
webapps/docs/security-howto.xml | 9 +++++++++
3 files changed, 33 insertions(+), 6 deletions(-)
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 1861714fcc..e23927cc29 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -183,6 +183,16 @@
</fix>
</changelog>
</subsection>
+ <subsection name="Web applications">
+ <changelog>
+ <add>
+ Documentation. Expand the description of the security implications of
+ setting <code>mapperContextRootRedirectEnabled</code> and/or
+ <code>mapperDirectoryRedirectEnabled</code> to <code>true</code>.
+ (markt)
+ </add>
+ </changelog>
+ </subsection>
<subsection name="Other">
<changelog>
<update>
diff --git a/webapps/docs/config/context.xml b/webapps/docs/config/context.xml
index 21cf309775..f71e7bbe81 100644
--- a/webapps/docs/config/context.xml
+++ b/webapps/docs/config/context.xml
@@ -408,17 +408,25 @@
<attribute name="mapperContextRootRedirectEnabled" required="false">
<p>If enabled, requests for a web application context root will be
redirected (adding a trailing slash) if necessary by the Mapper rather
- than the default Servlet. This is more efficient but has the side
effect
- of confirming that the context path exists. If not specified, the
- default value of <code>true</code> is used.</p>
+ than the default Servlet. This is more efficient but there are security
+ side effects. First, the existance of a web application or a directory
+ may be confirmed even though the user does not have access to that
+ directory. Secondly, any Valves and/or Filters - including those
+ providing security functionality - will not have an opportunity to
+ process the request. If not specified, the default value of
+ <code>true</code> is used.</p>
</attribute>
<attribute name="mapperDirectoryRedirectEnabled" required="false">
<p>If enabled, requests for a web application directory will be
redirected (adding a trailing slash) if necessary by the Mapper rather
- than the default Servlet. This is more efficient but has the side
effect
- of confirming that the directory is exists. If not specified, the
- default value of <code>false</code> is used.</p>
+ than the default Servlet. This is more efficient but there are security
+ side effects. First, the existance of a web application or a directory
+ may be confirmed even though the user does not have access to that
+ directory. Secondly, any Valves and/or Filters - including those
+ providing security functionality - will not have an opportunity to
+ process the request. If not specified, the default value of
+ <code>false</code> is used.</p>
</attribute>
<attribute name="override" required="false">
diff --git a/webapps/docs/security-howto.xml b/webapps/docs/security-howto.xml
index fc7d7290a7..bcd90f07bf 100644
--- a/webapps/docs/security-howto.xml
+++ b/webapps/docs/security-howto.xml
@@ -404,6 +404,15 @@
(<code>$CATALINA_BASE/temp</code> by default). This location should be
secured with appropriate file permissions - typically read/write for the
Tomcat user and no access for other users.</p>
+
+ <p>When <strong>mapperContextRootRedirectEnabled</strong> and/or
+ <strong>mapperDirectoryRedirectEnabled</strong> are enabled, request
+ processing will be more efficient but there are security side effects.
+ First, the existance of a web application or a directory may be confirmed
+ even though the user does not have access to that directory. Secondly,
any
+ Valves and/or Filters - including those providing security functionality
-
+ will not have an opportunity to process the request.</p>
+
</subsection>
<subsection name="Valves">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
