DO NOT REPLY [Bug 50153] Remapping the default servlet

[bu...@apache.org]

https://issues.apache.org/bugzilla/show_bug.cgi?id=50153

--- Comment #1 from Chuck Caldarale <ch...@unisys.com> 2010-10-25 22:56:58 EDT ---
(In reply to comment #0)
> Since I'm using a framework that maps its own servlet to /*, I have to remap
> the default servlet. In Tomcat 7.0.0 this mapping was working:
> 
>    <servlet-mapping>
>         <servlet-name>default</servlet-name>
>         <url-pattern>/static/</url-pattern>
>    </servlet-mapping>
> 
> But it doesn't in Tomcat 7.0.4

Unfortunately, you have been taking advantage (?) of a security hole in the
default servlet that allowed an ill-specified <url-pattern> to serve static
content from arbitrary locations.  As noted in the 7.0 changelog, the related
bug report can be found here:

http://issues.apache.org/bugzilla/show_bug.cgi?id=50026

The normal way to correctly implement this is to place the static content under
a known, real location, and configure that in <url-pattern>.  Alternatively, a
filter can be used to detect static references and forward them to the
DefaultServlet.  One could also use the appropriate suffix notation in the
<url-pattern> to direct requests to the DefaultServlet.

 - Chuck

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org