Bill Barker wrote:
Now the reverse proxy should have the ability to modify the URI (in the
sense of mod_rewrite). If we accept, that mod_rewrite in httpd 1.3-2.2 is
only able to operate on the decoded URI, we have no chance of making this
interoperable with forwarding the original undecoded URI.
Yes, RFC 2616 permits *any* intermediate proxy to alter the URI in *any* way
before passing it on. So to be meaningful, the Servlet spec requirement can
only apply to the URI that TC receives from the last proxy in the chain.
Exactly my point.
We can rewrite the uri in what ever way we wish as long it is
RFC compliant uri.
If that means temporary normalizing uri and looking for a
malicious requests like /foo/../bar/ what's the problem?
We know that this particular request will end up as
/bar/ on Tomcat side, so I really see no reason why we
shouldn't try to detect that and then if we have JkMount /bar/*
we can send as original uri either /bar/ or /foo/../bar/
At the end the Tomcat will serve the same resource.
Regards,
Mladen.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
