On 17 May 2018 15:46:07 BST, Chris Bonk <bonk.ch...@gmail.com> wrote:
>I have a strange issue, I am trying to track down the root cause for an
>ancient CVE-2006-1548
>I can replicate the XSS in Tomcat 4.0.6, however in Tomcat 6.0.37 the
>characters needed to inject the script are properly encoded, what is
>mechanism for this? I haven't been able to determine why
>handles the message parameter different between versioning.
>Can anyone point me in the right direction?

Looks like the error handling was rewritten in 4.1.x.


286679 looks relevant.

I'm on my phone so checking further is tricky but I suspect this is one of 
those grey areas in the spec where it isn't clear if the webapp or the 
container is responsible for sanitizing the data.


To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to