Larry, > > Sorry, Clicked the wrong button. :) >
No problem, :), i undertands the concerns, and the change seems a little daring i know.. anyway, reviewing by peers works, thanks god.. :) > To finish the thought, with the change below, does > > http://localhost/test%2F/test.jsp > > still go to Tomcat? Or is it blocked from going > to Tomcat because it is a "bad" URL. If it doesn't > go to Tomcat, how do we know some other filter in the > chain isn't going to serve it statically? > take into account that to be able to map we first need to unescape the url. it's the unescaping function the one that gives this errors, so we can only block these url prior to do the mapping, so we really dont know if the url should go to tomcat or not at this point.. And It's almost the same case that in apache you need to explicitely block WEB-INF, if you want block people from look at there when using a configuration where tomcat context it's directly configured as an apache served directory.. something that needs to be tweaked to be secure.. I think this is the same case, it's an advanced configuration, there are posible source disclosures, but it's a risk you can sort out.. like in the apache WEB-INF case.. And the casual and default configuration, doesnt have this "advance" features.. Do you see other way to fix 16759? Saludos, Ignacio J. Ortega
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
