DO NOT REPLY [Bug 50026] DefaultServlet serves META-INF and WEB-INF from root when remapped on /folder/*

https://issues.apache.org/bugzilla/show_bug.cgi?id=50026 Mark Thomas changed: What|Removed |Added Status|NEW |RESOLVED Resolution|

DO NOT REPLY [Bug 50026] DefaultServlet serves META-INF and WEB-INF from root when remapped on /folder/*

https://issues.apache.org/bugzilla/show_bug.cgi?id=50026 --- Comment #15 from Mark Thomas 2011-01-05 11:48:05 EST --- No. The view was that it was mis-configuration rather than a vulnerability (the default servlet was never intended to be mapped to anything other than /). -- Configure bugmail:

DO NOT REPLY [Bug 50026] DefaultServlet serves META-INF and WEB-INF from root when remapped on /folder/*

https://issues.apache.org/bugzilla/show_bug.cgi?id=50026 --- Comment #14 from Christopher Schultz 2011-01-05 11:30:07 EST --- Has a CVE number been assigned to this? Seems there should be one, and this vulnerability should be documented in Tomcat's security page(s). -- Configure bugmail: https

DO NOT REPLY [Bug 50026] DefaultServlet serves META-INF and WEB-INF from root when remapped on /folder/*

https://issues.apache.org/bugzilla/show_bug.cgi?id=50026 --- Comment #13 from bozho 2010-10-26 15:09:44 EDT --- > Insufficient, since that would expose other directories that a site might not > want to give direct access to. For example? How would other directories be protected? > Because the

DO NOT REPLY [Bug 50026] DefaultServlet serves META-INF and WEB-INF from root when remapped on /folder/*

https://issues.apache.org/bugzilla/show_bug.cgi?id=50026 --- Comment #12 from Chuck Caldarale 2010-10-26 14:21:24 EDT --- (In reply to comment #11) > Instead of disallowing the whole remapping of the default servlet, can't this > be implemented (as suggested) by using the getPathInfo(). for exam

DO NOT REPLY [Bug 50026] DefaultServlet serves META-INF and WEB-INF from root when remapped on /folder/*

https://issues.apache.org/bugzilla/show_bug.cgi?id=50026 --- Comment #11 from bozho 2010-10-26 13:38:27 EDT --- Instead of disallowing the whole remapping of the default servlet, can't this be implemented (as suggested) by using the getPathInfo(). for example: String pathInfo = request.getPathIn

DO NOT REPLY [Bug 50026] DefaultServlet serves META-INF and WEB-INF from root when remapped on /folder/*

https://issues.apache.org/bugzilla/show_bug.cgi?id=50026 Mark Thomas changed: What|Removed |Added CC||gl...@abv.bg --- Comment #10 from Ma

DO NOT REPLY [Bug 50026] DefaultServlet serves META-INF and WEB-INF from root when remapped on /folder/*

https://issues.apache.org/bugzilla/show_bug.cgi?id=50026 --- Comment #9 from Tim Whittington 2010-10-04 23:08:28 EDT --- Fixes for DefaultServlet and WebdavServlet are committed for 7.0.x (will be in 7.0.4+) and proposed for 6.0.x. Will need to check 5.5.x and see if a backport is required for

DO NOT REPLY [Bug 50026] DefaultServlet serves META-INF and WEB-INF from root when remapped on /folder/*

https://issues.apache.org/bugzilla/show_bug.cgi?id=50026 --- Comment #8 from Tim Whittington 2010-10-04 16:09:02 EDT --- (In reply to comment #5) > Some random thoughts: > - The default Servlet doesn't *need* to support serving content from an > arbitrary mapping. The user can just move the stat

DO NOT REPLY [Bug 50026] DefaultServlet serves META-INF and WEB-INF from root when remapped on /folder/*

https://issues.apache.org/bugzilla/show_bug.cgi?id=50026 --- Comment #7 from Tim Whittington 2010-10-03 16:54:25 EDT --- > I personally can live with the WONTFIX, but this leaves a huge security hole > for companies/ones who are using the DefaultServlet this way. This should > probably better be

DO NOT REPLY [Bug 50026] DefaultServlet serves META-INF and WEB-INF from root when remapped on /folder/*

https://issues.apache.org/bugzilla/show_bug.cgi?id=50026 --- Comment #6 from balusc 2010-10-03 11:59:03 EDT --- @Tim: that was one of my answers over there :) This issue is by the way triggered by another Stackoverflow question (so it was not my intent to (ab)use the default servlet like that) ht

DO NOT REPLY [Bug 50026] DefaultServlet serves META-INF and WEB-INF from root when remapped on /folder/*

https://issues.apache.org/bugzilla/show_bug.cgi?id=50026 --- Comment #5 from Mark Thomas 2010-10-03 06:05:17 EDT --- Some random thoughts: - The default Servlet doesn't *need* to support serving content from an arbitrary mapping. The user can just move the static content in the web-app to the des

DO NOT REPLY [Bug 50026] DefaultServlet serves META-INF and WEB-INF from root when remapped on /folder/*

https://issues.apache.org/bugzilla/show_bug.cgi?id=50026 Tim Whittington changed: What|Removed |Added Priority|P2 |P3 Severity|critical

DO NOT REPLY [Bug 50026] DefaultServlet serves META-INF and WEB-INF from root when remapped on /folder/*

https://issues.apache.org/bugzilla/show_bug.cgi?id=50026 --- Comment #3 from Chuck Caldarale 2010-09-29 12:34:42 EDT --- (In reply to comment #2) > No, there are no directories like that in `/static` folder. It actually refers > to the restricted directories in the context root. The standard De

DO NOT REPLY [Bug 50026] DefaultServlet serves META-INF and WEB-INF from root when remapped on /folder/*

https://issues.apache.org/bugzilla/show_bug.cgi?id=50026 --- Comment #2 from balusc 2010-09-29 12:08:27 EDT --- No, there are no directories like that in `/static` folder. It actually refers to the restricted directories in the context root. -- Configure bugmail: https://issues.apache.org/bugzi

DO NOT REPLY [Bug 50026] DefaultServlet serves META-INF and WEB-INF from root when remapped on /folder/*

https://issues.apache.org/bugzilla/show_bug.cgi?id=50026 --- Comment #1 from Pid 2010-09-29 11:57:22 EDT --- (In reply to comment #0) > The following in web.xml > > > static > > org.apache.catalina.servlets.DefaultServlet > > > static > /static/* >