On 13 September 2016 at 19:09, Mark Thomas <markt_at_apache.org> wrote:
> The most notable problem we had in Tomcat when we started providing the
> original, undecoded, unnormalized value for
> HttpServletRequest#getContextPath() was with applications that were
> using this to make security decisions. Those applications were assuming
> that a decoded, normalized value would be returned and they broke badly
> (i.e the security constraints were bypassed) when Tomcat started
> following the spec.
>
You'd hope that with this spec being the age it is, this kind of security
issue will be less and less a problem, but it is still a non-zero
possibility of future spec induced security issues.
I'm wondering if we should have a private forum for the servlet-spec where
we can raise such problems that may be cross container and jointly come up
with a response.
Or perhaps the current CVE/CERT style mechanisms should be enough... but
obviously they did not trigger in this instance? Or perhaps they did but
Jetty was not notified because we didn't comply with the spec? Was a
CVE raised for this vulnerability? Should it have been as potentially all
spec compliant containers were vulnerable?
regards
--
Greg Wilkins <gregw@webtide.com> CTO http://webtide.com