Why do you think the default is bad?
Because it breaks the spec's and allows unexpected handling of url that
are encoded (for example: /context-A/%252E%252E/context-B that is send
to Tomcat as /context-A/%2E%2E/context-B and mapped by Tomcat
as /context-B).
So what how do you suggest to handle a change.
- Being secure by default, i.e. really changing the default in 1.2 and
putting a big note about it in the docs, the news page and maybe the
download README
or/and
- Staying compatible in 1.2, changing in 1.3 but putting a big note in
the docs page about the options concerning the security relevance of the
options.
Regards,
Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
