Mladen Turk wrote:
You got me wrong. I suggest we decode the encoded uri, do mapping,
remove ;jsessionid=xxx and send that to the Tomcat.
This way tomcat won't have double encoding issue.
And it's completely legitimate if we comply to the RFC.
This would also solve malicious mapping attempts like /app1/../app2
before they even hit tomcat.
It would not help. Tomcat *does* another decoding in the connector!
If the URI contains %252e%252e (example) httpd correctly decodes this as
%2e%2e and it is correct to not decode this a second time. httpd and
mod_jk do not normalize this away after the first decoding, because it
is not equal to "..". So if we forward the decoded and normalized URI to
Tomcat, the Tomcat connector decodes a second time and then this will be
".." and normalized away on the Tomcat side.
Furthermore: I don't understand your comment about removing
";jsessionid". We cannot remove it, this will kill the session. But as
you know that yourself I must have misunderstood your first sentence.
Regards,
Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
