You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by bu...@apache.org on 2006/06/14 06:55:09 UTC

DO NOT REPLY [Bug 39810] New: - Security flaw in security-constraint when request made by "\"

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=39810>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=39810

           Summary: Security flaw in security-constraint when request made
                    by "\"
           Product: Tomcat 5
           Version: 5.5.17
          Platform: PC
        OS/Version: Windows XP
            Status: NEW
          Severity: normal
          Priority: P3
         Component: Unknown
        AssignedTo: tomcat-dev@jakarta.apache.org
        ReportedBy: davidecr@gmail.com


I've the following web-xml part...

    <security-constraint>
        <web-resource-collection>
            <web-resource-name>AdminPages</web-resource-name>
            <description>Accessible by registered users</description>
            <url-pattern>/admin/*</url-pattern>            
            <http-method>GET</http-method>
            <http-method>POST</http-method>
        </web-resource-collection>
        <auth-constraint>
            <description>These are the roles who have access</description>
            <role-name>registered</role-name>
        </auth-constraint>
    </security-constraint>

and all the other necessary parts... the problem is that everithing is fine...
while the request are like "http://localhost:8080/admin/something" as expected
it sends me to the defined login page BUT THE PROBLEM IS WHEN I USE "\"
(backslash) AS THE SEPARATOR like... "http://localhost:8080/admin\something"
tomcat retrives the resource with no security concerns...

hope this is helpfully enought... 

oohhh while I was writing this I realize that this bug is only showing in
firefox browser .... so I imagine maybe it their bug... please let me know so I
put this to them if this is not the place where I should put this... any way it
seems very important for you so I'm posting...

David Casta�eda

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

DO NOT REPLY [Bug 39810] - Security flaw in security-constraint when request made by "\"

Posted by bu...@apache.org.

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=39810>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=39810





------- Additional Comments From remm@apache.org  2006-06-15 08:39 -------
The security checks are done on the decoded URI, which is normalized quite
extensively in CoyoteAdapter.normalize. So this report is totally credible :)

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

DO NOT REPLY [Bug 39810] - Security flaw in security-constraint when request made by "\"

Posted by bu...@apache.org.

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=39810>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=39810


markt@apache.org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |INVALID




------- Additional Comments From markt@apache.org  2006-06-14 22:55 -------
First off, security issues should be reported privately rather than in public.
This allows the Tomcat team to release a fix so it is available once the issue
is made public.

Fortunately in this case there is no issue. I have tested this extensively and
cannot reproduce it. I can think of a range of things you may have done that
could have caused this behaviour.

If you have a have a test case (ideally a ready to run WAR) that demonstrates
this issue please contact the Tomcat team provately as described at
http://tomcat.apache.org/bugreport.html and we will investigate further.

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org