On Sat, 2007-05-19 at 18:57 +0200, Rainer Jung wrote: > Jean-Frederic wrote: > > On Sat, 2007-05-19 at 14:27 +0200, Rainer Jung wrote: > >> Hi, > >> > >> now that we changed the default way how to forward URIs from mod_jk to > >> Tomcat (mod_jk 1.2.23) because of a directory traversal issue, I want to > >> propose a better long term solution. > >> > >> What's the problem? > >> =================== > > > > I think we still miss something... The mapping (map_uri_to_worker) uses > > r->uri. Should we use s->req_uri or a carefully normalised uri to do the > > mapping? Fixing s->req_uri doesn't help to fix the mapping (where the > > problem comes from). > > Yes, the mapping uses r->uri, and it has to, because the maping must go > against a uudecoded normalized URI.
What about url like /context-a/../context-b/? There could be a problem if the goal is not to map /context-b. Should we normalise /context-a/../context-b/ to /context-b and then do the mapping. Cheers Jean-frederic > But to be consistent with Tomcats > view of the URI, we should send a URI to Tomcat, which gets interpreted > in the same way. My proposal is to send r->uri to Tomcat with encoded > '%'. That way decoding by Tomcat should result in the same URI r->uri > and since this one was already normalized by Apache, Tomcat > normalization should not change it any more. > > So fixing s->req_uri in my opinion does help to fix the mapping (which > was correct!), because it prevents Tomcat from changing the URI in a > wrong way. > > Regards, > > Rainer > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]