You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by bu...@apache.org on 2022/02/17 12:11:24 UTC

[Bug 65895] getContextPath() might introduce a xss cross site

https://bz.apache.org/bugzilla/show_bug.cgi?id=65895

Mark Thomas <ma...@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |INVALID

--- Comment #1 from Mark Thomas <ma...@apache.org> ---
That is an application security vulnerability in the JSP, not an issue with
Tomcat.

The Servlet spec requires that request.getContext() returns the original,
undecoded path.

My assumption is that the Maven plugin is using a version of Tomcat that
doesn't include the fix for bug 57215.

If Jetty isn't returning the original context path then that is an issue for
Jetty.

Generally, applications should be using application.getContextPath() which
returns the canonical context path.

This behaviour is an argument for the deprecation and eventual removal of
request.getContextPath() - or for its behaviour to be changed to match
ServletContext.getContextPath()

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org