DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=39810>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=39810 Summary: Security flaw in security-constraint when request made by "\" Product: Tomcat 5 Version: 5.5.17 Platform: PC OS/Version: Windows XP Status: NEW Severity: normal Priority: P3 Component: Unknown AssignedTo: tomcat-dev@jakarta.apache.org ReportedBy: [EMAIL PROTECTED] I've the following web-xml part... <security-constraint> <web-resource-collection> <web-resource-name>AdminPages</web-resource-name> <description>Accessible by registered users</description> <url-pattern>/admin/*</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <description>These are the roles who have access</description> <role-name>registered</role-name> </auth-constraint> </security-constraint> and all the other necessary parts... the problem is that everithing is fine... while the request are like "http://localhost:8080/admin/something" as expected it sends me to the defined login page BUT THE PROBLEM IS WHEN I USE "\" (backslash) AS THE SEPARATOR like... "http://localhost:8080/admin\something" tomcat retrives the resource with no security concerns... hope this is helpfully enought... oohhh while I was writing this I realize that this bug is only showing in firefox browser .... so I imagine maybe it their bug... please let me know so I put this to them if this is not the place where I should put this... any way it seems very important for you so I'm posting... David Castañeda -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]