subject:"Changing JK_OPT_FWDURIDEFAULT to JK_OPT

Re: Changing JK_OPT_FWDURIDEFAULT to JK_OPT_FWDURICOMPATUNPARSED

2007-05-16 Thread Jean-Frederic

On Tue, 2007-05-15 at 18:37 +0200, Rainer Jung wrote:
 I didn't follow this, but the comment in the httpd 2.x module code says:
 
  /*
   * The 2.2 servlet spec errata says the uri from
   * HttpServletRequest.getRequestURI() should remain encoded.
   * [http://java.sun.com/products/servlet/errata_042700.html]
   *
   * We use JkOptions to determine which method to be used
   *
   * ap_escape_uri is the latest recommanded but require
   *   some java decoding (in TC 3.3 rc2)
   *
   * unparsed_uri is used for strict compliance with spec and
   *  old Tomcat (3.2.3 for example)
   *
   * uri is use for compatibilty with mod_rewrite with old Tomcats
   */
 
 We do (pseudo code):
 
 JK_OPT_FWDURICOMPATUNPARSED:
  s-req_uri = r-unparsed_uri;
  if (s-req_uri != NULL) {
  char *query_str = strchr(s-req_uri, '?');
  if (query_str != NULL) {
  *query_str = 0;
  }
  }
 
 JK_OPT_FWDURICOMPAT (the DEFAULT):
  s-req_uri = r-uri;
 
 JK_OPT_FWDURIESCAPED:
  s-req_uri = ap_escape_uri(r-pool, r-uri);
  break;
 
 
 And finally our docs state:
 
 The three following options +ForwardURIxxx are mutually exclusive. ...
 By default, the option ForwardURICompat is turned on. You can turn this 
 off by switching on one of the other two.
 
 JkOptions ForwardURICompat, you ask mod_jk to send the URI to Tomcat 
 normally, which is less spec compliant but mod_rewrite compatible, use 
 it for compatibility with Tomcat 3.2.x engines (on by default).
 
 JkOptions ForwardURICompatUnparsed, the forwarded URI is unparsed, it's 
 spec compliant but broke mod_rewrite.
 
 JkOptions ForwardURIEscaped, the forwarded URI is escaped and Tomcat 
 (since 3.3 rc2) will do the decoding part.
 
 So what we do is what is documented. Breaking the default should have 
 serious reasons at least. For 1.3/3.0 we could consider changing more 
 easily of course.
 
 Why do you think the default is bad?

Because it breaks the spec's and allows unexpected handling of url that
are encoded (for example: /context-A/%252E%252E/context-B that is send
to Tomcat as /context-A/%2E%2E/context-B and mapped by Tomcat
as /context-B).

Cheers

Jean-Frederic

 
 Regards,
 
 Rainer
 
 Jean-Frederic wrote:
  Hi,
  
  I think that the default value of JK_OPT_FWDURIDEFAULT is bad and should
  be JK_OPT_FWDURICOMPATUNPARSED.
  
  Any comments?
  
  Cheers
  
  Jean-Frederic
 
 -
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]
 


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Changing JK_OPT_FWDURIDEFAULT to JK_OPT_FWDURICOMPATUNPARSED

2007-05-16 Thread Rainer Jung


Why do you think the default is bad?


Because it breaks the spec's and allows unexpected handling of url that
are encoded (for example: /context-A/%252E%252E/context-B that is send
to Tomcat as /context-A/%2E%2E/context-B and mapped by Tomcat
as /context-B).


So what how do you suggest to handle a change.

- Being secure by default, i.e. really changing the default in 1.2 and 
putting a big note about it in the docs, the news page and maybe the 
download README


or/and

- Staying compatible in 1.2, changing in 1.3 but putting a big note in 
the docs page about the options concerning the security relevance of the 
options.


Regards,

Rainer

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Changing JK_OPT_FWDURIDEFAULT to JK_OPT_FWDURICOMPATUNPARSED

2007-05-16 Thread Jean-Frederic

On Wed, 2007-05-16 at 13:17 +0200, Rainer Jung wrote:
  Why do you think the default is bad?
  
  Because it breaks the spec's and allows unexpected handling of url that
  are encoded (for example: /context-A/%252E%252E/context-B that is send
  to Tomcat as /context-A/%2E%2E/context-B and mapped by Tomcat
  as /context-B).
 
 So what how do you suggest to handle a change.
 
 - Being secure by default, i.e. really changing the default in 1.2 and 
 putting a big note about it in the docs, the news page and maybe the 
 download README

Yes I think that the correct option. Default values should always follow
the spec's and be as secure as possible.

Cheers

Jean-Frederic

 
 or/and
 
 - Staying compatible in 1.2, changing in 1.3 but putting a big note in 
 the docs page about the options concerning the security relevance of the 
 options.
 
 Regards,
 
 Rainer
 
 -
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]
 


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Changing JK_OPT_FWDURIDEFAULT to JK_OPT_FWDURICOMPATUNPARSED

2007-05-15 Thread Jean-Frederic

Hi,

I think that the default value of JK_OPT_FWDURIDEFAULT is bad and should
be JK_OPT_FWDURICOMPATUNPARSED.

Any comments?

Cheers

Jean-Frederic


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Changing JK_OPT_FWDURIDEFAULT to JK_OPT_FWDURICOMPATUNPARSED

2007-05-15 Thread Rainer Jung


I didn't follow this, but the comment in the httpd 2.x module code says:

/*
 * The 2.2 servlet spec errata says the uri from
 * HttpServletRequest.getRequestURI() should remain encoded.
 * [http://java.sun.com/products/servlet/errata_042700.html]
 *
 * We use JkOptions to determine which method to be used
 *
 * ap_escape_uri is the latest recommanded but require
 *   some java decoding (in TC 3.3 rc2)
 *
 * unparsed_uri is used for strict compliance with spec and
 *  old Tomcat (3.2.3 for example)
 *
 * uri is use for compatibilty with mod_rewrite with old Tomcats
 */

We do (pseudo code):

JK_OPT_FWDURICOMPATUNPARSED:
s-req_uri = r-unparsed_uri;
if (s-req_uri != NULL) {
char *query_str = strchr(s-req_uri, '?');
if (query_str != NULL) {
*query_str = 0;
}
}

JK_OPT_FWDURICOMPAT (the DEFAULT):
s-req_uri = r-uri;

JK_OPT_FWDURIESCAPED:
s-req_uri = ap_escape_uri(r-pool, r-uri);
break;


And finally our docs state:

The three following options +ForwardURIxxx are mutually exclusive. ...
By default, the option ForwardURICompat is turned on. You can turn this 
off by switching on one of the other two.


JkOptions ForwardURICompat, you ask mod_jk to send the URI to Tomcat 
normally, which is less spec compliant but mod_rewrite compatible, use 
it for compatibility with Tomcat 3.2.x engines (on by default).


JkOptions ForwardURICompatUnparsed, the forwarded URI is unparsed, it's 
spec compliant but broke mod_rewrite.


JkOptions ForwardURIEscaped, the forwarded URI is escaped and Tomcat 
(since 3.3 rc2) will do the decoding part.


So what we do is what is documented. Breaking the default should have 
serious reasons at least. For 1.3/3.0 we could consider changing more 
easily of course.


Why do you think the default is bad?

Regards,

Rainer

Jean-Frederic wrote:

Hi,

I think that the default value of JK_OPT_FWDURIDEFAULT is bad and should
be JK_OPT_FWDURICOMPATUNPARSED.

Any comments?

Cheers

Jean-Frederic


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Changing JK_OPT_FWDURIDEFAULT to JK_OPT_FWDURICOMPATUNPARSED

Re: Changing JK_OPT_FWDURIDEFAULT to JK_OPT_FWDURICOMPATUNPARSED

Re: Changing JK_OPT_FWDURIDEFAULT to JK_OPT_FWDURICOMPATUNPARSED

Changing JK_OPT_FWDURIDEFAULT to JK_OPT_FWDURICOMPATUNPARSED

Re: Changing JK_OPT_FWDURIDEFAULT to JK_OPT_FWDURICOMPATUNPARSED

5 matches

Site Navigation

Mail list logo

Footer information