On 24/09/2020 17:28, Christopher Schultz wrote: <snip/>
> Tomcat will only use path parameters in the final segment of a URL e.g. > https://www.example.com/app/servlet;jsessionid=ABCD1234?q=search Not quite. Tomcat will only *add* the jsessionid at the end but it will accept it on any segment. Internally, Tomcat has an API to access path parameters but it only tracks name and value (as that is all that is required to extract jsesisonid). It would be trivial to extend it to include path information as well. > Assuming your application doesn't use path-parameters for anything else, > you should be able to detect and block any non-terminal path-segment > which contains a parameter and simply refuse the request with 400 or > something similar. That is probably the simplest option in this case. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org