You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2006/06/14 06:55:09 UTC
DO NOT REPLY [Bug 39810] New: - Security flaw in security-constraint when request made by "\"
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=39810>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=39810
Summary: Security flaw in security-constraint when request made
by "\"
Product: Tomcat 5
Version: 5.5.17
Platform: PC
OS/Version: Windows XP
Status: NEW
Severity: normal
Priority: P3
Component: Unknown
AssignedTo: tomcat-dev@jakarta.apache.org
ReportedBy: davidecr@gmail.com
I've the following web-xml part...
<security-constraint>
<web-resource-collection>
<web-resource-name>AdminPages</web-resource-name>
<description>Accessible by registered users</description>
<url-pattern>/admin/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<description>These are the roles who have access</description>
<role-name>registered</role-name>
</auth-constraint>
</security-constraint>
and all the other necessary parts... the problem is that everithing is fine...
while the request are like "http://localhost:8080/admin/something" as expected
it sends me to the defined login page BUT THE PROBLEM IS WHEN I USE "\"
(backslash) AS THE SEPARATOR like... "http://localhost:8080/admin\something"
tomcat retrives the resource with no security concerns...
hope this is helpfully enought...
oohhh while I was writing this I realize that this bug is only showing in
firefox browser .... so I imagine maybe it their bug... please let me know so I
put this to them if this is not the place where I should put this... any way it
seems very important for you so I'm posting...
David Casta�eda
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 39810] - Security flaw in security-constraint when request made by "\"
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=39810>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=39810
------- Additional Comments From remm@apache.org 2006-06-15 08:39 -------
The security checks are done on the decoded URI, which is normalized quite
extensively in CoyoteAdapter.normalize. So this report is totally credible :)
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 39810] - Security flaw in security-constraint when request made by "\"
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=39810>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=39810
markt@apache.org changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |INVALID
------- Additional Comments From markt@apache.org 2006-06-14 22:55 -------
First off, security issues should be reported privately rather than in public.
This allows the Tomcat team to release a fix so it is available once the issue
is made public.
Fortunately in this case there is no issue. I have tested this extensively and
cannot reproduce it. I can think of a range of things you may have done that
could have caused this behaviour.
If you have a have a test case (ideally a ready to run WAR) that demonstrates
this issue please contact the Tomcat team provately as described at
http://tomcat.apache.org/bugreport.html and we will investigate further.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org