https://bz.apache.org/bugzilla/show_bug.cgi?id=66513
--- Comment #5 from Vincent Liautaud <vincent.liaut...@free.fr> --- Hi all, in addition to the fix, may you ask the development team : 1-To patch the following documentation regarding PersistentValve : https://tomcat.apache.org/tomcat-9.0-doc/config/valve.html The documentation contains an example of filter : filter=".*\.gif|.*\.js|.*\.jpeg|.*\.jpg|.*\.png|.*\.htm|.*\.html| .*\.css|.*\.txt" This filter introduce a malicious space character before the .*\.css !!! For users (like me) who will copy and paste this filter in their configuration file, all css requests are not filtered. 2-Could you ask the development team to add a debug trace in order to display all the requests that have not been filtered (see bellow). That way we could verify and detect all the errors/lack of filtering. Regards and have a nice week. @Override public void invoke(Request request, Response response) throws IOException, ServletException { // request without session if (isRequestWithoutSession(request.getDecodedRequestURI())) { getNext().invoke(request, response); return; } // TO BE ADDED TO DISPLAY ALL THE REQUEST URI NOT FILTERED if (container.getLogger().isDebugEnabled()) { container.getLogger().debug("Request not filtered:"+request.getRequestURI()); } -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org