Hello There, I am kind of blocked here in my project while applying your CVE fix in our product & verify the fix. Any guidelines on what i am doing (mentioned in my previous email) wrong is highly appreciated. All i am trying to do is, disable the redirect for the root (Ex: /manager & /examples in tomcat) of the webapp. If i know how to do this on the mentioned tomcat webapps, then i can apply the same for my webapps too. Looking for your response & help here.
regards Harish Krishnan On Fri, Mar 11, 2016 at 4:05 PM, Harish Krishnan <harish....@gmail.com> wrote: > Thanks again for the reply, Chris & Violeta! > Thanks for clarifying what the "protected directory" is, even i guessed it > to be same. Now i understood the fix for the directories protected by a > security constraint. I also verified this & the redirect is no more > happening for these protected ones. Really appreciate your help here. > > However, i am still unable to disable the redirect for the root of the > webapp. This is what i did on the latest tomcat build (7.0.68) - > > a) Set the context attribute (mapperContextRootRedirectEnabled) to false > for manager webapp. Here is my context.xml (from > \webapps\manager\META-INF\) file - > > <Context mapperContextRootRedirectEnabled="false" > antiResourceLocking="false" privileged="true" > > </Context> > > b) Accessing http://localhost:8080/manager gets redirected to manger/. > > c) I have also set the above context attribute in the default context.xml > (from \conf\context.xml) file as well. > > d) Accessing http://localhost:8080/examples gets redirected to examples/. > > Not sure what i am missing here. Same behavior is seen on my web > application too. > Please let me know where i am doing wrong & help me on how to disable the > redirect for the root of webapps. > > > regards > Harish Krishnan > > > > > > > > On Wed, Mar 9, 2016 at 7:29 AM, Christopher Schultz < > ch...@christopherschultz.net> wrote: > >> Harish, >> >> On 3/8/16 5:47 PM, Harish Krishnan wrote: >> > Thanks Chris for the reply. >> > Looks like my understanding of the fix is incorrect. >> > I assumed (my bad) that, with the fix for this CVE in place (tomcat >> > 7.0.68) + setting the additional context attribute >> > (mapperContextRootRedirectEnabled="false"), all the redirects for that >> > webapp where context attribute was set, will completely be disabled. >> > You mentioned that only "protected directories" inside the deployed web >> > application is covered in this CVE fix. >> > Can you please help me understand what this protected directories are & >> how >> > to configure this in tomcat ? >> >> A "protected directory" is one that has a <security-constraint> in >> web.xml. That's not a spec-defined term... just one we've been using >> because it captures the meaning with fewer words. >> >> As for the redirects you are seeing that "expose" the availability of a >> particular web application, those are essentially impossible to prevent, >> and not considered a part of the CVE. >> >> -chris >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> >