Hello There,

 I am kind of blocked here in my project while applying your CVE fix in our
product & verify the fix. Any guidelines on what i am doing (mentioned in
my previous email) wrong is highly appreciated.
All i am trying to do is, disable the redirect for the root (Ex: /manager &
/examples in tomcat) of the webapp. If i know how to do this on the
mentioned tomcat webapps, then i can apply the same for my webapps too.
Looking for your response & help here.

Harish Krishnan

On Fri, Mar 11, 2016 at 4:05 PM, Harish Krishnan <harish....@gmail.com>

> Thanks again for the reply, Chris & Violeta!
> Thanks for clarifying what the "protected directory" is, even i guessed it
> to be same. Now i understood the fix for the directories protected by a
> security constraint. I also verified this & the redirect is no more
> happening for these protected ones. Really appreciate your help here.
> However, i am still unable to disable the redirect for the root of the
> webapp. This is what i did on the latest tomcat build (7.0.68) -
> a) Set the context attribute (mapperContextRootRedirectEnabled) to false
> for manager webapp. Here is my context.xml (from
> \webapps\manager\META-INF\) file -
> <Context mapperContextRootRedirectEnabled="false"
> antiResourceLocking="false" privileged="true" >
>  </Context>
> b) Accessing http://localhost:8080/manager gets redirected to manger/.
> c) I have also set the above context attribute in the default context.xml
> (from \conf\context.xml) file as well.
> d) Accessing http://localhost:8080/examples gets redirected to examples/.
> Not sure what i am missing here. Same behavior is seen on my web
> application too.
> Please let me know where i am doing wrong & help me on how to disable the
> redirect for the root of webapps.
> regards
> Harish Krishnan
> On Wed, Mar 9, 2016 at 7:29 AM, Christopher Schultz <
> ch...@christopherschultz.net> wrote:
>> Harish,
>> On 3/8/16 5:47 PM, Harish Krishnan wrote:
>> > Thanks Chris for the reply.
>> > Looks like my understanding of the fix is incorrect.
>> > I assumed (my bad) that, with the fix for this CVE in place (tomcat
>> > 7.0.68) + setting the additional context attribute
>> > (mapperContextRootRedirectEnabled="false"), all the redirects for that
>> > webapp where context attribute was set, will completely be disabled.
>> > You mentioned that only "protected directories" inside the deployed web
>> > application is covered in this CVE fix.
>> > Can you please help me understand what this protected directories are &
>> how
>> > to configure this in tomcat ?
>> A "protected directory" is one that has a <security-constraint> in
>> web.xml. That's not a spec-defined term... just one we've been using
>> because it captures the meaning with fewer words.
>> As for the redirects you are seeing that "expose" the availability of a
>> particular web application, those are essentially impossible to prevent,
>> and not considered a part of the CVE.
>> -chris
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to