On 6/19/07, Michael Koch <[EMAIL PROTECTED]> wrote:
The problem seems to be related to the ForwardURICompatUnparsed-Option being default since mod_jk 1.2.23. This was made default because of the security advisory CVS-2007-1860. When you are sure this security issue can't be exposed on your system please change the default options to us ForwardURICompat instead of ForwardURICompatUnparsed. This re-enables the old behavior: JkOptions +ForwardURICompat Please report back if this fixes your issues.
Thanks for pointing me in the right direction. I saw bug 425836, but didn't follow the link to the tomcat to see that it might effect mod_rewrite functionality. Yep, both JkOptions +ForwardURICompat and JkOptions +ForwardURIEscaped work with mod_rewrite. I decided to use ForwardURIEscaped because of the warning against using ForwardURICompat with prefix JkMounts. Since we're not using URL encoded session IDs, it seemed like a better way to go. http://tomcat.apache.org/connectors-doc/reference/apache.html#Forwarding I was unable to reproduce the vulnerability with a specially crafted URL with version 1.2.21-1, but maybe my URL wasn't special enough... I tried to follow the example from the Red Hat's bugzilla. Thanks again for your help! Andy Hamilton
