On 3/8/16 5:47 PM, Harish Krishnan wrote:
> Thanks Chris for the reply.
> Looks like my understanding of the fix is incorrect.
> I assumed (my bad) that, with the fix for this CVE in place (tomcat
> 7.0.68) + setting the additional context attribute
> (mapperContextRootRedirectEnabled="false"), all the redirects for that
> webapp where context attribute was set, will completely be disabled.
> You mentioned that only "protected directories" inside the deployed web
> application is covered in this CVE fix.
> Can you please help me understand what this protected directories are & how
> to configure this in tomcat ?

A "protected directory" is one that has a <security-constraint> in
web.xml. That's not a spec-defined term... just one we've been using
because it captures the meaning with fewer words.

As for the redirects you are seeing that "expose" the availability of a
particular web application, those are essentially impossible to prevent,
and not considered a part of the CVE.


To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to