On 18/03/2020 00:04, James H. H. Lampert wrote:
> On 3/17/20 3:50 PM, Mark Thomas wrote:
>> The XXS might be valid. I assume the tool provided a sample URL you
>> could use to validate the finding. That should point you in the right
>> direction but feel free to ask here if more help is required.
> Near as I can tell, it did but it didn't provide a sample URL.
> Note that *all* I have is a PDF of the report, and I think the URL may
> have gotten mangled by spanning a page-break. I've posted a screenshot
> (with identifying information redacted) of what I'm looking at in the
> report:
> https://www.flickr.com/gp/64159238@N03/02i78o

I'll agree with Olaf. That doesn't look like a Tomcat file. Tomcat's
error.jsp doesn't have a from parameter.

> ****
> As to DELETE and OPTIONS, you get no argument from me about whether a
> DELETE will actually *do* anything (I've got a query out to our web
> developer on that), and on restricting OPTIONS being a case of "Security
> by obscurity"; however, this is a case of "The Customer is Always Right."
> I found a page on disabling HTTP methods with a security constraint:
> https://www.techstacks.com/howto/disable-http-methods-in-tomcat.html

The issue with that constraint is that it blacklists unwanted methods
rather than whitelisting acceptable ones. I'd go with something like:

  <web-resource-name>Limit methods</web-resource-name>
 <auth-constraint />

> But I'm not sure (1) how security constraints interact with other
> security constraints, and

See section 13.8.1 of the Servlet 4.0 spec.

> (2) whether they can go in the conf/web.xml as
> well as individual webapps' web.xml files.

Yes they can.

> As I said, I've got a query out to our web developers about *our*
> webapp, but does Manager make any use of DELETE or OPTIONS?


OPTIONS, only in the sense it supports it but it doesn't depend on it
being enabled so disabling OPTIONS won't break the manager app.


To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to