That's pretty much it. TC 4.0.x didn't handle some traversal attacks well without this set. TC 4.1.x should handle it fine without it being set. The especially paranoid can set it anyway, and have one more choke-point for traversal attacks. I'm including the source for 'validate' so you can see what it checks for:
protected static String validate(String path) { if (path == null) return null; // Create a place for the normalized path String normalized = path; // Normalize "/%7E" and "/%7e" at the beginning to "/~" if (normalized.startsWith("/%7E") || normalized.startsWith("/%7e")) normalized = "/~" + normalized.substring(4); // Prevent encoding '%', '/', '.' and '\', which are special reserved // characters if ((normalized.indexOf("%25") >= 0) || (normalized.indexOf("%2F") >= 0) || (normalized.indexOf("%2E") >= 0) || (normalized.indexOf("%5C") >= 0) || (normalized.indexOf("%2f") >= 0) || (normalized.indexOf("%2e") >= 0) || (normalized.indexOf("%5c") >= 0)) { return null; } if (normalized.equals("/.")) return "/"; // Normalize the slashes and add leading slash if necessary if (normalized.indexOf('\\') >= 0) normalized = normalized.replace('\\', '/'); if (!normalized.startsWith("/")) normalized = "/" + normalized; // Resolve occurrences of "//" in the normalized path while (true) { int index = normalized.indexOf("//"); if (index < 0) break; normalized = normalized.substring(0, index) + normalized.substring(index + 1); } // Resolve occurrences of "/./" in the normalized path while (true) { int index = normalized.indexOf("/./"); if (index < 0) break; normalized = normalized.substring(0, index) + normalized.substring(index + 2); } // Resolve occurrences of "/../" in the normalized path while (true) { int index = normalized.indexOf("/../"); if (index < 0) break; if (index == 0) return (null); // Trying to go outside our context int index2 = normalized.lastIndexOf('/', index - 1); normalized = normalized.substring(0, index2) + normalized.substring(index + 3); } // Declare occurrences of "/..." (three or more dots) to be invalid // (on some Windows platforms this walks the directory tree!!!) if (normalized.indexOf("/...") >= 0) return (null); // Return the normalized path that we have completed return (normalized); } "Jason Bainbridge" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > On Sat, 31 May 2003 06:37, Michenaud Laurent wrote: > > I can't find any documentation about the parameter useURIValidationHack. > > // Additional URI normalization and validation is needed for security > // reasons on Tomcat 4.0.x > if (connector.getUseURIValidationHack()) { > String uri = validate(request.getRequestURI()); > if (uri == null) { > res.setStatus(400); > res.setMessage("Invalid URI"); > throw new IOException("Invalid URI"); > } else { > req.requestURI().setString(uri); > // Redoing the URI decoding > req.decodedURI().duplicate(req.requestURI()); > req.getURLDecoder().convert(req.decodedURI(), true); > } > } > > I'm guessing this is because of the ServletInvoker security exploit, either > that or another one that was in earlier 4.0 versions, maybe one of the > development types on the list will be able to shine more light on the > subject. > > Regards, > -- > Jason Bainbridge > KDE Web Team - http://kde.org > [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]