https://bz.apache.org/bugzilla/show_bug.cgi?id=60594
--- Comment #22 from Mark Thomas <ma...@apache.org> --- You mean '<' and '>' ? There is always the risk that unexpected reverse proxy behaviour will trigger a CVE-2016-6816 like issue but that risks exists for any white-listed character that should really be encoded. I don't see it affecting the URL parsing in Tomcat. If the undecoded URL is used in any XML like output it is likely to break it. But any user that is using '<' and '>' will be facing that problem already. They look to be higher risk in terms of breaking stuff, but not in a security sense. +1 to your approach. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
