Remy Maucherat wrote:
Remy Maucherat wrote:
[EMAIL PROTECTED] wrote:
Author: mturk
Date: Tue Jun 26 05:28:00 2007
New Revision: 550789
URL: http://svn.apache.org/viewvc?view=rev&rev=550789
Log:
Do not pass session id if it is zero length. For now only log those
attempts. We should consider returning 400 if the jsessionid is empty
perhaps.
This serves no useful purpose. What if jsessionid is one char long
(let's say ' ') ? Is it more valid ?
Since I didn't get an answer, I suppose I have to clarify. This means I
am vetoing this commit (if someone needs to filter out certain requests
based on this sort of constraints, they should use a valve or a filter
instead, which is very easy to do).
This is not a valid veto. There is not specification nor security
reason that my patch would break. If something can be done by some
third party (like Tomcat) is completely unrelated with the purpose of
why the veto can be used.
See:
http://www.apache.org/foundation/voting.html#Veto
However this is my opinion, so I'm not sure what to do next
if you don't revoke your veto.
I suppose we should ask someone more familiar with the subject
to give a independent verdict.
From technical POV my patch is correct because session id can
be anything except null or empty string. Thus a ' ' is a legitimate
JSESSIONID identifier, of course not necessarily with tomcat, but
mod_jk can be used as frontend to other AJP protocol servlet engines.
Regards,
Mladen.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]