On Wed, 2007-05-16 at 13:17 +0200, Rainer Jung wrote: > >> Why do you think the default is bad? > > > > Because it breaks the spec's and allows unexpected handling of url that > > are encoded (for example: /context-A/%252E%252E/context-B that is send > > to Tomcat as /context-A/%2E%2E/context-B and mapped by Tomcat > > as /context-B). > > So what how do you suggest to handle a change. > > - Being secure by default, i.e. really changing the default in 1.2 and > putting a big note about it in the docs, the news page and maybe the > download README
Yes I think that the correct option. Default values should always follow the spec's and be as secure as possible. Cheers Jean-Frederic > > or/and > > - Staying compatible in 1.2, changing in 1.3 but putting a big note in > the docs page about the options concerning the security relevance of the > options. > > Regards, > > Rainer > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]