Re: Question about your recent security (CVE-2015-5345) fix in 7.0.68 build

2016-03-19 Thread Harish Krishnan
Thanks a lot for the clear explanation, Mark. I have all my questions
answered, appreciate your help & you guys are Great!
My apologies for the previous follow-up emails, I am still a novice in
tomcat & failed in understanding the exact fix quicker.


regards
Harish Krishnan

On Wed, Mar 16, 2016 at 4:38 AM, Mark Thomas  wrote:

> On 15/03/2016 20:58, Harish Krishnan wrote:
> > Hello There,
> >
> >  I am kind of blocked here in my project while applying your CVE fix in
> our
> > product & verify the fix. Any guidelines on what i am doing (mentioned in
> > my previous email) wrong is highly appreciated.
>
> You are failing to follow the hints you have been given previously.
>
> > All i am trying to do is, disable the redirect for the root (Ex:
> /manager &
> > /examples in tomcat) of the webapp. If i know how to do this on the
> > mentioned tomcat webapps, then i can apply the same for my webapps too.
> > Looking for your response & help here.
>
> You CAN NOT disable the redirect. As the documentation for the two
> redirect options makes clear, all they do is change WHERE the redirect
> happens.
>
> The key point in all of this is that security constraints are applied
> AFTER the Mapper and BEFORE the DefaultServlet. If the request is for a
> protected resource and the redirects take place in the Mapper, then the
> response will confirm whether that resource exists irrespective of
> whether or not the user is authorized to access the resource. If the
> redirect takes place in the Default Servlet, the response will reflect
> the security constraints and the user's access rights if any.
>
> Again, you need to look at the security constraints for the Manager
> application. /manager is NOT a protected resource so the redirect is
> always going to happen.
>
> Mark
>
>
> >
> >
> > regards
> > Harish Krishnan
> >
> > On Fri, Mar 11, 2016 at 4:05 PM, Harish Krishnan 
> > wrote:
> >
> >> Thanks again for the reply, Chris & Violeta!
> >> Thanks for clarifying what the "protected directory" is, even i guessed
> it
> >> to be same. Now i understood the fix for the directories protected by a
> >> security constraint. I also verified this & the redirect is no more
> >> happening for these protected ones. Really appreciate your help here.
> >>
> >> However, i am still unable to disable the redirect for the root of the
> >> webapp. This is what i did on the latest tomcat build (7.0.68) -
> >>
> >> a) Set the context attribute (mapperContextRootRedirectEnabled) to false
> >> for manager webapp. Here is my context.xml (from
> >> \webapps\manager\META-INF\) file -
> >>
> >>  >> antiResourceLocking="false" privileged="true" >
> >>  
> >>
> >> b) Accessing http://localhost:8080/manager gets redirected to manger/.
> >>
> >> c) I have also set the above context attribute in the default
> context.xml
> >> (from \conf\context.xml) file as well.
> >>
> >> d) Accessing http://localhost:8080/examples gets redirected to
> examples/.
> >>
> >> Not sure what i am missing here. Same behavior is seen on my web
> >> application too.
> >> Please let me know where i am doing wrong & help me on how to disable
> the
> >> redirect for the root of webapps.
> >>
> >>
> >> regards
> >> Harish Krishnan
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >> On Wed, Mar 9, 2016 at 7:29 AM, Christopher Schultz <
> >> ch...@christopherschultz.net> wrote:
> >>
> >>> Harish,
> >>>
> >>> On 3/8/16 5:47 PM, Harish Krishnan wrote:
>  Thanks Chris for the reply.
>  Looks like my understanding of the fix is incorrect.
>  I assumed (my bad) that, with the fix for this CVE in place (tomcat
>  7.0.68) + setting the additional context attribute
>  (mapperContextRootRedirectEnabled="false"), all the redirects for that
>  webapp where context attribute was set, will completely be disabled.
>  You mentioned that only "protected directories" inside the deployed
> web
>  application is covered in this CVE fix.
>  Can you please help me understand what this protected directories are
> &
> >>> how
>  to configure this in tomcat ?
> >>>
> >>> A "protected directory" is one that has a  in
> >>> web.xml. That's not a spec-defined term... just one we've been using
> >>> because it captures the meaning with fewer words.
> >>>
> >>> As for the redirects you are seeing that "expose" the availability of a
> >>> particular web application, those are essentially impossible to
> prevent,
> >>> and not considered a part of the CVE.
> >>>
> >>> -chris
> >>>
> >>> -
> >>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> >>> For additional commands, e-mail: users-h...@tomcat.apache.org
> >>>
> >>>
> >>
> >
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>


Re: Question about your recent security (CVE-2015-5345) fix in 7.0.68 build

2016-03-18 Thread Mark Thomas
On 15/03/2016 20:58, Harish Krishnan wrote:
> Hello There,
> 
>  I am kind of blocked here in my project while applying your CVE fix in our
> product & verify the fix. Any guidelines on what i am doing (mentioned in
> my previous email) wrong is highly appreciated.

You are failing to follow the hints you have been given previously.

> All i am trying to do is, disable the redirect for the root (Ex: /manager &
> /examples in tomcat) of the webapp. If i know how to do this on the
> mentioned tomcat webapps, then i can apply the same for my webapps too.
> Looking for your response & help here.

You CAN NOT disable the redirect. As the documentation for the two
redirect options makes clear, all they do is change WHERE the redirect
happens.

The key point in all of this is that security constraints are applied
AFTER the Mapper and BEFORE the DefaultServlet. If the request is for a
protected resource and the redirects take place in the Mapper, then the
response will confirm whether that resource exists irrespective of
whether or not the user is authorized to access the resource. If the
redirect takes place in the Default Servlet, the response will reflect
the security constraints and the user's access rights if any.

Again, you need to look at the security constraints for the Manager
application. /manager is NOT a protected resource so the redirect is
always going to happen.

Mark


> 
> 
> regards
> Harish Krishnan
> 
> On Fri, Mar 11, 2016 at 4:05 PM, Harish Krishnan 
> wrote:
> 
>> Thanks again for the reply, Chris & Violeta!
>> Thanks for clarifying what the "protected directory" is, even i guessed it
>> to be same. Now i understood the fix for the directories protected by a
>> security constraint. I also verified this & the redirect is no more
>> happening for these protected ones. Really appreciate your help here.
>>
>> However, i am still unable to disable the redirect for the root of the
>> webapp. This is what i did on the latest tomcat build (7.0.68) -
>>
>> a) Set the context attribute (mapperContextRootRedirectEnabled) to false
>> for manager webapp. Here is my context.xml (from
>> \webapps\manager\META-INF\) file -
>>
>> > antiResourceLocking="false" privileged="true" >
>>  
>>
>> b) Accessing http://localhost:8080/manager gets redirected to manger/.
>>
>> c) I have also set the above context attribute in the default context.xml
>> (from \conf\context.xml) file as well.
>>
>> d) Accessing http://localhost:8080/examples gets redirected to examples/.
>>
>> Not sure what i am missing here. Same behavior is seen on my web
>> application too.
>> Please let me know where i am doing wrong & help me on how to disable the
>> redirect for the root of webapps.
>>
>>
>> regards
>> Harish Krishnan
>>
>>
>>
>>
>>
>>
>>
>> On Wed, Mar 9, 2016 at 7:29 AM, Christopher Schultz <
>> ch...@christopherschultz.net> wrote:
>>
>>> Harish,
>>>
>>> On 3/8/16 5:47 PM, Harish Krishnan wrote:
 Thanks Chris for the reply.
 Looks like my understanding of the fix is incorrect.
 I assumed (my bad) that, with the fix for this CVE in place (tomcat
 7.0.68) + setting the additional context attribute
 (mapperContextRootRedirectEnabled="false"), all the redirects for that
 webapp where context attribute was set, will completely be disabled.
 You mentioned that only "protected directories" inside the deployed web
 application is covered in this CVE fix.
 Can you please help me understand what this protected directories are &
>>> how
 to configure this in tomcat ?
>>>
>>> A "protected directory" is one that has a  in
>>> web.xml. That's not a spec-defined term... just one we've been using
>>> because it captures the meaning with fewer words.
>>>
>>> As for the redirects you are seeing that "expose" the availability of a
>>> particular web application, those are essentially impossible to prevent,
>>> and not considered a part of the CVE.
>>>
>>> -chris
>>>
>>> -
>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>>
>>>
>>
> 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Question about your recent security (CVE-2015-5345) fix in 7.0.68 build

2016-03-15 Thread Harish Krishnan
Hello There,

 I am kind of blocked here in my project while applying your CVE fix in our
product & verify the fix. Any guidelines on what i am doing (mentioned in
my previous email) wrong is highly appreciated.
All i am trying to do is, disable the redirect for the root (Ex: /manager &
/examples in tomcat) of the webapp. If i know how to do this on the
mentioned tomcat webapps, then i can apply the same for my webapps too.
Looking for your response & help here.


regards
Harish Krishnan

On Fri, Mar 11, 2016 at 4:05 PM, Harish Krishnan 
wrote:

> Thanks again for the reply, Chris & Violeta!
> Thanks for clarifying what the "protected directory" is, even i guessed it
> to be same. Now i understood the fix for the directories protected by a
> security constraint. I also verified this & the redirect is no more
> happening for these protected ones. Really appreciate your help here.
>
> However, i am still unable to disable the redirect for the root of the
> webapp. This is what i did on the latest tomcat build (7.0.68) -
>
> a) Set the context attribute (mapperContextRootRedirectEnabled) to false
> for manager webapp. Here is my context.xml (from
> \webapps\manager\META-INF\) file -
>
>  antiResourceLocking="false" privileged="true" >
>  
>
> b) Accessing http://localhost:8080/manager gets redirected to manger/.
>
> c) I have also set the above context attribute in the default context.xml
> (from \conf\context.xml) file as well.
>
> d) Accessing http://localhost:8080/examples gets redirected to examples/.
>
> Not sure what i am missing here. Same behavior is seen on my web
> application too.
> Please let me know where i am doing wrong & help me on how to disable the
> redirect for the root of webapps.
>
>
> regards
> Harish Krishnan
>
>
>
>
>
>
>
> On Wed, Mar 9, 2016 at 7:29 AM, Christopher Schultz <
> ch...@christopherschultz.net> wrote:
>
>> Harish,
>>
>> On 3/8/16 5:47 PM, Harish Krishnan wrote:
>> > Thanks Chris for the reply.
>> > Looks like my understanding of the fix is incorrect.
>> > I assumed (my bad) that, with the fix for this CVE in place (tomcat
>> > 7.0.68) + setting the additional context attribute
>> > (mapperContextRootRedirectEnabled="false"), all the redirects for that
>> > webapp where context attribute was set, will completely be disabled.
>> > You mentioned that only "protected directories" inside the deployed web
>> > application is covered in this CVE fix.
>> > Can you please help me understand what this protected directories are &
>> how
>> > to configure this in tomcat ?
>>
>> A "protected directory" is one that has a  in
>> web.xml. That's not a spec-defined term... just one we've been using
>> because it captures the meaning with fewer words.
>>
>> As for the redirects you are seeing that "expose" the availability of a
>> particular web application, those are essentially impossible to prevent,
>> and not considered a part of the CVE.
>>
>> -chris
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>>
>


Re: Question about your recent security (CVE-2015-5345) fix in 7.0.68 build

2016-03-14 Thread Harish Krishnan
Any help on my previous question is really appreciated.
Thank You!

On Fri, Mar 11, 2016 at 4:05 PM, Harish Krishnan 
wrote:

> Thanks again for the reply, Chris & Violeta!
> Thanks for clarifying what the "protected directory" is, even i guessed it
> to be same. Now i understood the fix for the directories protected by a
> security constraint. I also verified this & the redirect is no more
> happening for these protected ones. Really appreciate your help here.
>
> However, i am still unable to disable the redirect for the root of the
> webapp. This is what i did on the latest tomcat build (7.0.68) -
>
> a) Set the context attribute (mapperContextRootRedirectEnabled) to false
> for manager webapp. Here is my context.xml (from
> \webapps\manager\META-INF\) file -
>
>  antiResourceLocking="false" privileged="true" >
>  
>
> b) Accessing http://localhost:8080/manager gets redirected to manger/.
>
> c) I have also set the above context attribute in the default context.xml
> (from \conf\context.xml) file as well.
>
> d) Accessing http://localhost:8080/examples gets redirected to examples/.
>
> Not sure what i am missing here. Same behavior is seen on my web
> application too.
> Please let me know where i am doing wrong & help me on how to disable the
> redirect for the root of webapps.
>
>
> regards
> Harish Krishnan
>
>
>
>
>
>
>
> On Wed, Mar 9, 2016 at 7:29 AM, Christopher Schultz <
> ch...@christopherschultz.net> wrote:
>
>> Harish,
>>
>> On 3/8/16 5:47 PM, Harish Krishnan wrote:
>> > Thanks Chris for the reply.
>> > Looks like my understanding of the fix is incorrect.
>> > I assumed (my bad) that, with the fix for this CVE in place (tomcat
>> > 7.0.68) + setting the additional context attribute
>> > (mapperContextRootRedirectEnabled="false"), all the redirects for that
>> > webapp where context attribute was set, will completely be disabled.
>> > You mentioned that only "protected directories" inside the deployed web
>> > application is covered in this CVE fix.
>> > Can you please help me understand what this protected directories are &
>> how
>> > to configure this in tomcat ?
>>
>> A "protected directory" is one that has a  in
>> web.xml. That's not a spec-defined term... just one we've been using
>> because it captures the meaning with fewer words.
>>
>> As for the redirects you are seeing that "expose" the availability of a
>> particular web application, those are essentially impossible to prevent,
>> and not considered a part of the CVE.
>>
>> -chris
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>>
>


Re: Question about your recent security (CVE-2015-5345) fix in 7.0.68 build

2016-03-11 Thread Harish Krishnan
Thanks again for the reply, Chris & Violeta!
Thanks for clarifying what the "protected directory" is, even i guessed it
to be same. Now i understood the fix for the directories protected by a
security constraint. I also verified this & the redirect is no more
happening for these protected ones. Really appreciate your help here.

However, i am still unable to disable the redirect for the root of the
webapp. This is what i did on the latest tomcat build (7.0.68) -

a) Set the context attribute (mapperContextRootRedirectEnabled) to false
for manager webapp. Here is my context.xml (from
\webapps\manager\META-INF\) file -


 

b) Accessing http://localhost:8080/manager gets redirected to manger/.

c) I have also set the above context attribute in the default context.xml
(from \conf\context.xml) file as well.

d) Accessing http://localhost:8080/examples gets redirected to examples/.

Not sure what i am missing here. Same behavior is seen on my web
application too.
Please let me know where i am doing wrong & help me on how to disable the
redirect for the root of webapps.


regards
Harish Krishnan







On Wed, Mar 9, 2016 at 7:29 AM, Christopher Schultz <
ch...@christopherschultz.net> wrote:

> Harish,
>
> On 3/8/16 5:47 PM, Harish Krishnan wrote:
> > Thanks Chris for the reply.
> > Looks like my understanding of the fix is incorrect.
> > I assumed (my bad) that, with the fix for this CVE in place (tomcat
> > 7.0.68) + setting the additional context attribute
> > (mapperContextRootRedirectEnabled="false"), all the redirects for that
> > webapp where context attribute was set, will completely be disabled.
> > You mentioned that only "protected directories" inside the deployed web
> > application is covered in this CVE fix.
> > Can you please help me understand what this protected directories are &
> how
> > to configure this in tomcat ?
>
> A "protected directory" is one that has a  in
> web.xml. That's not a spec-defined term... just one we've been using
> because it captures the meaning with fewer words.
>
> As for the redirects you are seeing that "expose" the availability of a
> particular web application, those are essentially impossible to prevent,
> and not considered a part of the CVE.
>
> -chris
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>


Re: Question about your recent security (CVE-2015-5345) fix in 7.0.68 build

2016-03-09 Thread Christopher Schultz
Harish,

On 3/8/16 5:47 PM, Harish Krishnan wrote:
> Thanks Chris for the reply.
> Looks like my understanding of the fix is incorrect.
> I assumed (my bad) that, with the fix for this CVE in place (tomcat
> 7.0.68) + setting the additional context attribute
> (mapperContextRootRedirectEnabled="false"), all the redirects for that
> webapp where context attribute was set, will completely be disabled.
> You mentioned that only "protected directories" inside the deployed web
> application is covered in this CVE fix.
> Can you please help me understand what this protected directories are & how
> to configure this in tomcat ?

A "protected directory" is one that has a  in
web.xml. That's not a spec-defined term... just one we've been using
because it captures the meaning with fewer words.

As for the redirects you are seeing that "expose" the availability of a
particular web application, those are essentially impossible to prevent,
and not considered a part of the CVE.

-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Question about your recent security (CVE-2015-5345) fix in 7.0.68 build

2016-03-09 Thread Violeta Georgieva
Hi Harish,

2016-03-09 0:47 GMT+02:00 Harish Krishnan :
>
> Thanks Chris for the reply.
> Looks like my understanding of the fix is incorrect.
> I assumed (my bad) that, with the fix for this CVE in place (tomcat
> 7.0.68) + setting the additional context attribute
> (mapperContextRootRedirectEnabled="false"), all the redirects for that
> webapp where context attribute was set, will completely be disabled.
> You mentioned that only "protected directories" inside the deployed web
> application is covered in this CVE fix.
> Can you please help me understand what this protected directories are &
how
> to configure this in tomcat ?

As Mark already pointed, look at the web.xml of Manager application ->
security constraints sections.
Also you may find the following link [1] useful.

Regards,
Violeta

[1] https://docs.oracle.com/cd/E19798-01/821-1841/bncbk/index.html

>
> regards
> Harish Krishnan
>
> On Tue, Mar 8, 2016 at 7:59 AM, Christopher Schultz <
> ch...@christopherschultz.net> wrote:
>
> > -BEGIN PGP SIGNED MESSAGE-
> > Hash: SHA1
> >
> > Harish,
> >
> > On 3/7/16 6:02 PM, Harish Krishnan wrote:
> > > Unfortunately, i still could not verify this vulnerability as it
> > > still appears not fixed & my requests get redirected.
> >
> > What makes you think that the requests should not be redirected?
> >
> > > Instead of using the manager webapp that comes default in tomcat,
> > > we created a sample webapp with the following security constraint
> > > -  
> > > hello.html 
> > >  
> > > sercure-hello
> > > /* 
> > > 
> > > NONE
> > >   
> > >
> > > Accessing http://localhost:8080/a (which exist) gets redirected to
> > > http://localhost:8080/a/ & then get 404. Accessing
> > > http://localhost:8080/b (does not exist) simply gets 404.
> >
> > Where did you deploy this sample web application?
> >
> > > I have set the context attribute (mapperContextRootRedirectEnabled)
> > > as well -  > > antiResourceLocking="false" privileged="true">   
> > >
> > > My question simply boils down to, What additional setting i need to
> > > do for the above redirect to NOT happen.
> >
> > Which redirect? A redirect for a protected directory inside of a
> > deployed web application (which is what this CVE covers) or the
> > redirect for a deployed web application (which is not what this CVE
> > covers)?
> >
> > - -chris
> > -BEGIN PGP SIGNATURE-
> > Comment: GPGTools - http://gpgtools.org
> > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
> >
> > iEYEARECAAYFAlbe9twACgkQ9CaO5/Lv0PBaqQCeMMYqM8+hPnekw1NM8I5NNa0J
> > uaQAn2Kp35FIKikIFfZdlao4Un1NCNGe
> > =/uiq
> > -END PGP SIGNATURE-
> >
> > -
> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: users-h...@tomcat.apache.org
> >
> >


Re: Question about your recent security (CVE-2015-5345) fix in 7.0.68 build

2016-03-08 Thread Harish Krishnan
Thanks Chris for the reply.
Looks like my understanding of the fix is incorrect.
I assumed (my bad) that, with the fix for this CVE in place (tomcat
7.0.68) + setting the additional context attribute
(mapperContextRootRedirectEnabled="false"), all the redirects for that
webapp where context attribute was set, will completely be disabled.
You mentioned that only "protected directories" inside the deployed web
application is covered in this CVE fix.
Can you please help me understand what this protected directories are & how
to configure this in tomcat ?


regards
Harish Krishnan

On Tue, Mar 8, 2016 at 7:59 AM, Christopher Schultz <
ch...@christopherschultz.net> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Harish,
>
> On 3/7/16 6:02 PM, Harish Krishnan wrote:
> > Unfortunately, i still could not verify this vulnerability as it
> > still appears not fixed & my requests get redirected.
>
> What makes you think that the requests should not be redirected?
>
> > Instead of using the manager webapp that comes default in tomcat,
> > we created a sample webapp with the following security constraint
> > -  
> > hello.html 
> >  
> > sercure-hello
> > /* 
> > 
> > NONE
> >   
> >
> > Accessing http://localhost:8080/a (which exist) gets redirected to
> > http://localhost:8080/a/ & then get 404. Accessing
> > http://localhost:8080/b (does not exist) simply gets 404.
>
> Where did you deploy this sample web application?
>
> > I have set the context attribute (mapperContextRootRedirectEnabled)
> > as well -  > antiResourceLocking="false" privileged="true">   
> >
> > My question simply boils down to, What additional setting i need to
> > do for the above redirect to NOT happen.
>
> Which redirect? A redirect for a protected directory inside of a
> deployed web application (which is what this CVE covers) or the
> redirect for a deployed web application (which is not what this CVE
> covers)?
>
> - -chris
> -BEGIN PGP SIGNATURE-
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iEYEARECAAYFAlbe9twACgkQ9CaO5/Lv0PBaqQCeMMYqM8+hPnekw1NM8I5NNa0J
> uaQAn2Kp35FIKikIFfZdlao4Un1NCNGe
> =/uiq
> -END PGP SIGNATURE-
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>


Re: Question about your recent security (CVE-2015-5345) fix in 7.0.68 build

2016-03-08 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Harish,

On 3/7/16 6:02 PM, Harish Krishnan wrote:
> Unfortunately, i still could not verify this vulnerability as it
> still appears not fixed & my requests get redirected.

What makes you think that the requests should not be redirected?

> Instead of using the manager webapp that comes default in tomcat,
> we created a sample webapp with the following security constraint
> -   
> hello.html  
>   
> sercure-hello 
> /*  
>  
> NONE 
>   
> 
> Accessing http://localhost:8080/a (which exist) gets redirected to 
> http://localhost:8080/a/ & then get 404. Accessing
> http://localhost:8080/b (does not exist) simply gets 404.

Where did you deploy this sample web application?

> I have set the context attribute (mapperContextRootRedirectEnabled)
> as well -  antiResourceLocking="false" privileged="true">   
> 
> My question simply boils down to, What additional setting i need to
> do for the above redirect to NOT happen.

Which redirect? A redirect for a protected directory inside of a
deployed web application (which is what this CVE covers) or the
redirect for a deployed web application (which is not what this CVE
covers)?

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlbe9twACgkQ9CaO5/Lv0PBaqQCeMMYqM8+hPnekw1NM8I5NNa0J
uaQAn2Kp35FIKikIFfZdlao4Un1NCNGe
=/uiq
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Question about your recent security (CVE-2015-5345) fix in 7.0.68 build

2016-03-07 Thread Harish Krishnan
Thanks for the reply, Mark.

Unfortunately, i still could not verify this vulnerability as it still
appears not fixed & my requests get redirected.
Instead of using the manager webapp that comes default in tomcat, we
created a sample webapp with the following security constraint -
 

hello.html



sercure-hello
/*


NONE




Accessing http://localhost:8080/a (which exist) gets redirected to
http://localhost:8080/a/ & then get 404.
Accessing http://localhost:8080/b (does not exist) simply gets 404.

I have set the context attribute (mapperContextRootRedirectEnabled) as well
-

  
  


My question simply boils down to, What additional setting i need to do for
the above redirect to NOT happen.
Thanks for your help.


regards
Harish Krishnan

On Mon, Mar 7, 2016 at 12:42 PM, Mark Thomas  wrote:

> On 07/03/2016 20:23, Harish Krishnan wrote:
> > Hi There,
> >
> >  I am verifying the fix that you made for CVE-2015-5345 & it appears to
> be
> > not fixed. I might be doing something wrong & hence sending out this
> email
> > to you.
> > All i did was,
> > a) Downloaded & installed the latest tomcat build 7.0.68.
> > b) Added the following context attribute to manager webapp just for
> testing
> > -
> >   File: $CATALINA_HOME\webapps\manager\META-INF\context.xml
> >> antiResourceLocking="false" privileged="true">
> > c) When i access http://localhost/8080/manager/images, it still gets
> > redirected to /images/ there by confirming the folder location. Same
> thing
> > happens when accessing /manager/index.jsp too.
> >
> > Am i missing anything here ?
>
> Yes. Look at the security constraints defined for the Manager application.
>
> Mark
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>


Re: Question about your recent security (CVE-2015-5345) fix in 7.0.68 build

2016-03-07 Thread Mark Thomas
On 07/03/2016 20:23, Harish Krishnan wrote:
> Hi There,
> 
>  I am verifying the fix that you made for CVE-2015-5345 & it appears to be
> not fixed. I might be doing something wrong & hence sending out this email
> to you.
> All i did was,
> a) Downloaded & installed the latest tomcat build 7.0.68.
> b) Added the following context attribute to manager webapp just for testing
> -
>   File: $CATALINA_HOME\webapps\manager\META-INF\context.xml
>antiResourceLocking="false" privileged="true">
> c) When i access http://localhost/8080/manager/images, it still gets
> redirected to /images/ there by confirming the folder location. Same thing
> happens when accessing /manager/index.jsp too.
> 
> Am i missing anything here ?

Yes. Look at the security constraints defined for the Manager application.

Mark


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org