DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUGĀ· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=43019>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED ANDĀ· INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=43019 Summary: valid absolute request uris + mod_jk 1.2.23 return 400 Invalid URI Product: Tomcat 6 Version: 6.0.13 Platform: Other OS/Version: All Status: NEW Severity: normal Priority: P2 Component: Catalina AssignedTo: [EMAIL PROTECTED] ReportedBy: [EMAIL PROTECTED] Problem noticed after upgrading to 1.2.23 to pick up the fix for http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1860 mod_jk now by default uses JkOptions +ForwardURICompatUnparsed Problem seen with Tomcat 5.0.28 through 6.0.13 and other versions are likely affected. The problem: Some HTTP clients send requests like: POST http://host/abs_path HTTP/1.1 Host:host When Tomcat is fronted by mod_jk 1.2.23, requests like now produce 400 Invalid URI responses. After more testing, we found: (1) client -> (apache + mod_jk) -> tomcat: produces "400 Invalid URI" response (2) client -> (apache + mod_jk) -> (tomcat + apr): produces "200 OK" response (3) client -> tomcat: produces "200 OK" response Stepping through case (1) with a debugger, request was rejected at this point: package org.apache.catalina.connector; public class CoyoteAdapter { public static boolean normalize(MessageBytes uriMB) { ... // The URL must start with '/' if (b[start] != (byte) '/') { return false; } The byte buffer contained the full http://host/abs_path request uri. Comparing the differences between org.apache.coyote.ajp.AjpAprProcessor (case 2, works OK) and org.apache.jk.common.HandlerRequest (case 1, broken), we noticed that AjpAprProcessor converts http://host/abs_path to /abs_path in the STAGE_PREPARE phase but HandlerRequest does not. To fix, we just copied the code from AjpAprProcessor to HandlerRequest essentially unchanged: package org.apache.jk.common; public class HandlerRequest { ... private int decodeRequest( Msg msg, MsgContext ep, MessageBytes tmpMB ) throws IOException { ... decodeHeaders( ep, msg, req, tmpMB ); decodeAttributes( ep, msg, req, tmpMB ); rp.setStage(Constants.STAGE_PREPARE); // start yahoo! modified: // note this code was taken from AjpProcessor.prepare() - other code // from that method should also be considered for inclusion here // Check for a full URI (including protocol://host:port/) ByteChunk uriBC = req.requestURI().getByteChunk(); if (uriBC.startsWithIgnoreCase("http", 0)) { int pos = uriBC.indexOf("://", 0, 3, 4); int uriBCStart = uriBC.getStart(); int slashPos = -1; if (pos != -1) { byte[] uriB = uriBC.getBytes(); slashPos = uriBC.indexOf('/', pos + 3); if (slashPos == -1) { slashPos = uriBC.getLength(); // Set URI as "/" req.requestURI().setBytes (uriB, uriBCStart + pos + 1, 1); } else { req.requestURI().setBytes (uriB, uriBCStart + slashPos, uriBC.getLength() - slashPos); } MessageBytes hostMB = req.getMimeHeaders().setValue("host"); hostMB.setBytes(uriB, uriBCStart + pos + 3, slashPos - pos - 3); } } // end yahoo! modified MessageBytes valueMB = req.getMimeHeaders().getValue("host"); parseHost(valueMB, req); // set cookies on request now that we have all headers req.getCookies().setHeaders(req.getMimeHeaders()); ... -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
