https://bz.apache.org/bugzilla/show_bug.cgi?id=62459
--- Comment #14 from Rainer Jung <rainer.j...@kippdata.de> --- (In reply to Mark Thomas from comment #9) > What you are asking for is logically impossible. If mod_jk sees the sequence > "%2F" it has no way to determine if this is the result of decoding "%252F" > or not decoding "%2F". Therefore it cannot correctly reverse the encoding. It might become too complex, but httpd copies the original URI to r->unparsed_uri and I think that one isn't decoded in any way. So we could in theory check, whether there's a "%25" or "%25F" or "%25f" sequence in the original URI. e.g. if there's no "%25" it seems we should be safe in terms of double decoding, if there's no "%25f" or "%25F" we should at least be safe of double decoding a slash. There can be some holes in this attempt, e.g. a RewriteRule might change the URL and introduce "%25" (or "%25F" or "%25f") in the rewritten decoded URL, which will not change the original unparsed_uri, but the one we need to jk_canonenc(). So the bahavior to check unparsed_uri and rely on it might need to be an optional one, off by default. Is this a direction we should try? Or do we open a new the directory traversal problem here? -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
