Rainer Jung wrote:
Mladen Turk wrote:
My proposal is that we make our own decoder if the URI is encoded
and then do a match and forward that.
As far as I understand you suggestion, this would not help.
There's nothing wrong with "our" decoder (the httpd decoder), what's
wrong is, that the decoded URI gets decoded a second time by Tomcat.
Double decoding is the fault (there's a nice comment about that in httpd
source code).
You got me wrong. I suggest we decode the encoded uri, do mapping,
remove ;jsessionid=xxx and send that to the Tomcat.
This way tomcat won't have double encoding issue.
And it's completely legitimate if we comply to the RFC.
This would also solve malicious mapping attempts like /app1/../app2
before they even hit tomcat.
Regards,
Mladen.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
