Collectives™ on Stack Overflow
Find centralized, trusted content and collaborate around the technologies you use most.
Learn more about Collectives
Teams
Q&A for work
Connect and share knowledge within a single location that is structured and easy to search.
Learn more about Teams
Ask Question
Recently Tomcat has released a CVE-2018-11784 (Apache Tomcat redirection issue),and it says my tomcat 7 version which i am using is affected.
https://bugzilla.redhat.com/show_bug.cgi?id=1636512
https://lists.apache.org/thread.html/23134c9b5a23892a205dc140cdd8c9c0add233600f76b313dda6bd75@%3Cannounce.tomcat.apache.org%3E
However they also mentioned the mitigation steps that should be done. One of the mitigation steps is enabling the attributes mapperDirectoryRedirectEnabled and mapperContextRootRedirectEnabled both to true in the context.xml.
Currently we do not use any of the attribute , but as per apache tomcat documentation(
https://tomcat.apache.org/tomcat-7.0-doc/config/context.html
)) , Default values of these attributes if not used is as below
By Default --> mapperContextRootRedirectEnabled will be “true”
By Default --> mapperDirectoryRedirectEnabled will be "false"
And also tomcat cve mentions that if mapperDirectoryRedirectEnabled = enabled,
"
If enabled, requests for a web application directory will be redirected (adding a trailing slash) if necessary by the Mapper rather than the default Servlet. This is more efficient but has the side effect of confirming that the directory is exists. If not specified, the default value of false is used.
”
Can you please let me know what are the side effects which might occur when we use the these or enable these attributes ?
The online documentation is for the current (latest) released version of Tomcat. That is
7.0.91
at the time of this writing.
If you are using any older version, you must consult your own copy of documentation webapp for the version that you are using. Especially when dealing with security sensitive options. Note that the old versions can be downloaded from "Archives" site, as linked on the download page. There exists a "Full documentation" archive (fulldocs.tar.gz) for each version.
Those options control what happens when a client requests
http://yousite/yourapp
or
http://yousite/yourapp/yourdir
without a trailing '/' in the URL.
Tomcat should respond with a
302
redirect to
http://yousite/yourapp/
or
http://yousite/yourapp/yourdir/
respectively.
The options control where (in the call stack / pipeline) the redirection happens. The pipeline is generally
Connector
(Coyote) →
CoyoteAdapter
→
Mapper
→
Valves
→
Filters
→
Servlet
.
If the redirection happens in
Mapper
, it means that the
302
redirection response will be sent to the client before any
Valve
takes a look at the request. If you have a
RemoteAddrValve
in your pipeline, it will not see this request and has no chance to reject it.
The old versions of Tomcat (earlier than December 2015 - earlier than 7.0.66) all behave as if both of those
mapper*RedirectEnabled
options are true.
–
Thanks for contributing an answer to Stack Overflow!
-
Please be sure to
answer the question
. Provide details and share your research!
But
avoid
…
-
Asking for help, clarification, or responding to other answers.
-
Making statements based on opinion; back them up with references or personal experience.
To learn more, see our
tips on writing great answers
.
