Posted by Mark Thomas on Jul 14

What you have found is not a bug in Apache Tomcat but a number of users
who have enabled directory listings for their sites.

Every version of Apache Tomcat for as long as I can remember (and
certainly every release of all currently supported versions) has shipped
with directory listings disabled.

If a user enables directory listings then it is up to them to secure it
in an appropriate manner for their site. It is perfectly possible that
for…