On Jul 23, 2009, at 4:00 AM, Mark Thomas wrote:
Konstantin Kolinko wrote:
2009/7/22 Rémy Maucherat <remy.mauche...@gmail.com>:
On Wed, Jul 22, 2009 at 2:37 PM, Mark Thomas<ma...@apache.org>
wrote:
You'll need to provide more details. Nothing stands out from the
security pages.
Please provide step by step instructions to reproduce from a
clean Tomcat
installation.
Please also note that potential security vulnerabilities should
be reported
privately (see http://tomcat.apache.org/security.html), rather
than to a public
list. Since you have posted to a public list, there is no point
continuing in
private.
I don't think the host is used in HTML generated by Tomcat. OTOH,
like
the other strings returned by the API,
ServletRequest.getServerName is
not XSS filtered.
At least, if there are concerns about that, there is a workaround:
you can specify proxyName attribute on a <Connector> element in
server.xml
In that case the one that is in request will be ignored.
Documentation is here:
http://tomcat.apache.org/tomcat-6.0-doc/config/http.html
http://tomcat.apache.org/tomcat-6.0-doc/config/ajp.html
For the record, private mail with more detail has indicated that
this is an
issue in an application deployed to Tomcat, rather than Tomcat
itself. The issue
has been forwarded to the appropriate folks to be dealt with.
I am glad that this was discussed in public.
We make use of getServerName, and in most cases it is filtered
appropriately. However, for completeness, we are looking at all uses
of this method.
Regards,
Dave
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
