> I am using tomcat 7. > Thank you for the advice in how to exclude the page, I will use it! > However, is there any way to block the usage of the slash by the users?
Not yet. As far as I understand the recommended fix is to reconfigure tomcat so it does not forbid the encoded version of the slash as explained here: http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.10 i.e. adding -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true to the CATALINA_OPTS The same note points out that without settign the other property there you can shoot yourself in the foot with a backslash '\' as well, and I can fully confirm this :) As not every user might be willing to configure tomcat in a way that is considered "disabling a security setting", I wonder if it would be acceptable to add a configuration setting that contains a list of "illegal characters" for page names, which then can be set to '\' and '/' if XWiki is running inside a tomcat with its default configuration. (Actually implementing this might be a bit tricky, as there are other ways to create a page with a '/' in the name, e.g. rename, copy and XAR-import, just to mention the few I can imagine on the spot ...) Clemens _______________________________________________ users mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/users
