Jean-Frederic wrote:
On Sun, 2007-05-20 at 18:17 +0200, Rainer Jung wrote:
Before I answer, let me first ask a question: What's wrong withg my
suggestion? Or even better: use the encoding done with mod_proxy_ajp?
For me there is nothing wrong except it adds 2 JKoptions or 3 :-)
If we think the new way is the correct way, we could have it as the
default, letting the old ones there for compatibility with existing
configurations as non standard options. The new one would not need an
explicit name if it gets to be the standard.
We know that Tomcat is going to normalise a url we have already
normalised. Shouldn't we check that a second normalisation (like the
Tomcat one) gives a different url and if yes have a flag to return
"forbidden"? (Yes that would be a 4th option).
Here I try to argue, that encoding '%' before forwarding and decoding by
tomcat should lead to the identity operation. I though a little more
about it and most likely encoding '+' is also necessary, because besides
the '%' decoding, Tomcat will most likely (I have to check) also decode
'+' -> ' '. At the end I tend to use the same function, that's used in
mod_proxy_ajp to reencode before forwarding (although only encoding '%'
and '+' would be faster).
Rejecting requests with double encoding can already be done by
mod_rewrite, because mod_rewrite operates on the decoded URI, so you
only need to check for '%' (and '+' if you like).
Regards,
Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
