Re: Changing JK_OPT_FWDURIDEFAULT to JK_OPT_FWDURICOMPATUNPARSED
On Tue, 2007-05-15 at 18:37 +0200, Rainer Jung wrote: I didn't follow this, but the comment in the httpd 2.x module code says: /* * The 2.2 servlet spec errata says the uri from * HttpServletRequest.getRequestURI() should remain encoded. * [http://java.sun.com/products/servlet/errata_042700.html] * * We use JkOptions to determine which method to be used * * ap_escape_uri is the latest recommanded but require * some java decoding (in TC 3.3 rc2) * * unparsed_uri is used for strict compliance with spec and * old Tomcat (3.2.3 for example) * * uri is use for compatibilty with mod_rewrite with old Tomcats */ We do (pseudo code): JK_OPT_FWDURICOMPATUNPARSED: s-req_uri = r-unparsed_uri; if (s-req_uri != NULL) { char *query_str = strchr(s-req_uri, '?'); if (query_str != NULL) { *query_str = 0; } } JK_OPT_FWDURICOMPAT (the DEFAULT): s-req_uri = r-uri; JK_OPT_FWDURIESCAPED: s-req_uri = ap_escape_uri(r-pool, r-uri); break; And finally our docs state: The three following options +ForwardURIxxx are mutually exclusive. ... By default, the option ForwardURICompat is turned on. You can turn this off by switching on one of the other two. JkOptions ForwardURICompat, you ask mod_jk to send the URI to Tomcat normally, which is less spec compliant but mod_rewrite compatible, use it for compatibility with Tomcat 3.2.x engines (on by default). JkOptions ForwardURICompatUnparsed, the forwarded URI is unparsed, it's spec compliant but broke mod_rewrite. JkOptions ForwardURIEscaped, the forwarded URI is escaped and Tomcat (since 3.3 rc2) will do the decoding part. So what we do is what is documented. Breaking the default should have serious reasons at least. For 1.3/3.0 we could consider changing more easily of course. Why do you think the default is bad? Because it breaks the spec's and allows unexpected handling of url that are encoded (for example: /context-A/%252E%252E/context-B that is send to Tomcat as /context-A/%2E%2E/context-B and mapped by Tomcat as /context-B). Cheers Jean-Frederic Regards, Rainer Jean-Frederic wrote: Hi, I think that the default value of JK_OPT_FWDURIDEFAULT is bad and should be JK_OPT_FWDURICOMPATUNPARSED. Any comments? Cheers Jean-Frederic - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Changing JK_OPT_FWDURIDEFAULT to JK_OPT_FWDURICOMPATUNPARSED
Why do you think the default is bad? Because it breaks the spec's and allows unexpected handling of url that are encoded (for example: /context-A/%252E%252E/context-B that is send to Tomcat as /context-A/%2E%2E/context-B and mapped by Tomcat as /context-B). So what how do you suggest to handle a change. - Being secure by default, i.e. really changing the default in 1.2 and putting a big note about it in the docs, the news page and maybe the download README or/and - Staying compatible in 1.2, changing in 1.3 but putting a big note in the docs page about the options concerning the security relevance of the options. Regards, Rainer - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Changing JK_OPT_FWDURIDEFAULT to JK_OPT_FWDURICOMPATUNPARSED
On Wed, 2007-05-16 at 13:17 +0200, Rainer Jung wrote: Why do you think the default is bad? Because it breaks the spec's and allows unexpected handling of url that are encoded (for example: /context-A/%252E%252E/context-B that is send to Tomcat as /context-A/%2E%2E/context-B and mapped by Tomcat as /context-B). So what how do you suggest to handle a change. - Being secure by default, i.e. really changing the default in 1.2 and putting a big note about it in the docs, the news page and maybe the download README Yes I think that the correct option. Default values should always follow the spec's and be as secure as possible. Cheers Jean-Frederic or/and - Staying compatible in 1.2, changing in 1.3 but putting a big note in the docs page about the options concerning the security relevance of the options. Regards, Rainer - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Changing JK_OPT_FWDURIDEFAULT to JK_OPT_FWDURICOMPATUNPARSED
Hi, I think that the default value of JK_OPT_FWDURIDEFAULT is bad and should be JK_OPT_FWDURICOMPATUNPARSED. Any comments? Cheers Jean-Frederic - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Changing JK_OPT_FWDURIDEFAULT to JK_OPT_FWDURICOMPATUNPARSED
I didn't follow this, but the comment in the httpd 2.x module code says: /* * The 2.2 servlet spec errata says the uri from * HttpServletRequest.getRequestURI() should remain encoded. * [http://java.sun.com/products/servlet/errata_042700.html] * * We use JkOptions to determine which method to be used * * ap_escape_uri is the latest recommanded but require * some java decoding (in TC 3.3 rc2) * * unparsed_uri is used for strict compliance with spec and * old Tomcat (3.2.3 for example) * * uri is use for compatibilty with mod_rewrite with old Tomcats */ We do (pseudo code): JK_OPT_FWDURICOMPATUNPARSED: s-req_uri = r-unparsed_uri; if (s-req_uri != NULL) { char *query_str = strchr(s-req_uri, '?'); if (query_str != NULL) { *query_str = 0; } } JK_OPT_FWDURICOMPAT (the DEFAULT): s-req_uri = r-uri; JK_OPT_FWDURIESCAPED: s-req_uri = ap_escape_uri(r-pool, r-uri); break; And finally our docs state: The three following options +ForwardURIxxx are mutually exclusive. ... By default, the option ForwardURICompat is turned on. You can turn this off by switching on one of the other two. JkOptions ForwardURICompat, you ask mod_jk to send the URI to Tomcat normally, which is less spec compliant but mod_rewrite compatible, use it for compatibility with Tomcat 3.2.x engines (on by default). JkOptions ForwardURICompatUnparsed, the forwarded URI is unparsed, it's spec compliant but broke mod_rewrite. JkOptions ForwardURIEscaped, the forwarded URI is escaped and Tomcat (since 3.3 rc2) will do the decoding part. So what we do is what is documented. Breaking the default should have serious reasons at least. For 1.3/3.0 we could consider changing more easily of course. Why do you think the default is bad? Regards, Rainer Jean-Frederic wrote: Hi, I think that the default value of JK_OPT_FWDURIDEFAULT is bad and should be JK_OPT_FWDURICOMPATUNPARSED. Any comments? Cheers Jean-Frederic - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]