Mladen Turk wrote: > Mark Thomas wrot: >> Test 1: Tomcat only >> http://localhost:8080/jsp-examples/%252e%252e/servlets-examples/index.html >> >> This correctly showed the index.html I created above. > > But this is oxymoron. You wish to serve the content from > servlets-examples with only jsp-examples mounted. > This is also the exact reason of CVE-2007-1860.
No I am am not. I am trying to access the resource at the physical file location: appBase/jsp-examples/%2e%2e/servlets-examples/index.html Note that there really is a directory with the name %2e%2e. This content is part of the jsp-examples web application. The names of the sub-directories are deliberately chosen to cause problems and to illustrate my point. Trying to access /jsp-examples/salesgrowth%2007.html (a more likely file name in, say, a content management scenario) has similar problems. It is expected that this will be accessible via: http://host:port/jsp-examples/salesgrowth%252007.html Test environment as before... Test 1: Tomcat only Works Test 2: Tomcat + httpd + mod_jk 1.2.22 Fails with 404 Test 3: Tomcat + httpd + mod_jk 1.2.23 Works Test 4: Tomcat + httpd + mod_jk 1.2.HEAD Works Hmm. This wasn't what I was expecting. However, when I use set JkOptions +ForwardURICompat in httpd.conf, restoring the default as mentioned previously in this thread test 4 fails again. In summary, I think we should be aiming for a solution that: - doesn't have any security issues - can serve files like salesgrowth%2007.html with the default config - works with mod_rewrite etc If we re-encoded the uri before sending it to Tomcat that would meet all of the above requirements wouldn't it? --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
