Jean-Frederic wrote:
On Sat, 2007-06-09 at 23:15 +0200, Remy Maucherat wrote:
Mark Thomas wrote:
If we re-encoded the uri before sending it to Tomcat that would meet
all of the above requirements wouldn't it?
I don't see how reencoding the URI would be possible: it will mess up
character encod
On Sat, 2007-06-09 at 23:15 +0200, Remy Maucherat wrote:
> Mark Thomas wrote:
> > If we re-encoded the uri before sending it to Tomcat that would meet
> > all of the above requirements wouldn't it?
>
> I don't see how reencoding the URI would be possible: it will mess up
> character encoding, and
On Sat, 2007-06-09 at 23:15 +0200, Remy Maucherat wrote:
> Mark Thomas wrote:
> > If we re-encoded the uri before sending it to Tomcat that would meet
> > all of the above requirements wouldn't it?
>
> I don't see how reencoding the URI would be possible: it will mess up
> character encoding, and
Mark Thomas wrote:
If we re-encoded the uri before sending it to Tomcat that would meet
all of the above requirements wouldn't it?
I don't see how reencoding the URI would be possible: it will mess up
character encoding, and may not correspond to the original URI.
How does it work in mod_pro
Mladen Turk wrote:
> Mark Thomas wrot:
>> Test 1: Tomcat only
>> http://localhost:8080/jsp-examples/%252e%252e/servlets-examples/index.html
>>
>> This correctly showed the index.html I created above.
>
> But this is oxymoron. You wish to serve the content from
> servlets-examples with only jsp-exa
Mark Thomas wrote:
Single ajp13 worker
jkMount /jsp-examples/* worker1
A simple 'hello world' html file was created at (directories created
where required):
/jsp-examples/%2e%2e/servlets-examples/index.html
Test 1: Tomcat only
http://localhost:8080/jsp-examples/%252e%252e/servlets-examples/i
Mladen Turk wrote:
> Mark Thomas wrote:
>>
>>> Did I mention that uri is *not* decoded twice?
>>
>> You did and I still don't agree. The root cause of CVE-2007-1860 was a
>> double decoding. Once in httpd/mod_jk and once in Tomcat.
>>
>
> Why do you don't agree?
> Please provide a use case and con
Remy Maucherat wrote:
Mark Thomas wrote:
As I see it, we have two options:
a) Prevent Tomcat from decoding the uri a second time at step 7 above
b) Re-encode the uri in mod_jk between steps 5 and 6
I think:
- it's the proxy which should have options for adapting to what the
proxied server do
Mark Thomas wrote:
As I see it, we have two options:
a) Prevent Tomcat from decoding the uri a second time at step 7 above
b) Re-encode the uri in mod_jk between steps 5 and 6
The problem with b) is that we can't easily tell what characters were
previously encoded and need to be re-encoded. b) i
Mark Thomas wrote:
Did I mention that uri is *not* decoded twice?
You did and I still don't agree. The root cause of CVE-2007-1860 was a
double decoding. Once in httpd/mod_jk and once in Tomcat.
Why do you don't agree?
Please provide a use case and confirm your statements are
legitimate.
Mladen Turk wrote:
> Mark Thomas wrote:
>>> mod_jk 1.2.23 (with default passing r->unparsed_uri) will return 404
>>> from Tomcat becasue it will pass the original uri, not the one Httpd
>>> already unfolded)
>> This is correct and provides consistent behaviour for direct to Tomcat
>> access and ac
Mark Thomas wrote:
>> mod_jk 1.2.23 (with default passing r->unparsed_uri) will return 404
>> from Tomcat becasue it will pass the original uri, not the one Httpd
>> already unfolded)
> This is correct and provides consistent behaviour for direct to Tomcat
> access and access via mod_jk.
>
It is
Mladen Turk wrote:
> William A. Rowe, Jr. wrote:
>> [EMAIL PROTECTED] wrote:
>>> Add simple URI normalizer that can deal with things like %252e%252e.
>>> This is mostly copy/paste from the IIS module
>>
>> You have me way confused ;-)
>>
>
> How it works:
> Imagine you have two applications on Tom
William A. Rowe, Jr. wrote:
[EMAIL PROTECTED] wrote:
Author: mturk
Date: Mon Jun 4 05:08:33 2007
New Revision: 544137
URL: http://svn.apache.org/viewvc?view=rev&rev=544137
Log:
Add simple URI normalizer that can deal with things like %252e%252e. This is
mostly copy/paste from the IIS module
[EMAIL PROTECTED] wrote:
> Author: mturk
> Date: Mon Jun 4 05:08:33 2007
> New Revision: 544137
>
> URL: http://svn.apache.org/viewvc?view=rev&rev=544137
> Log:
> Add simple URI normalizer that can deal with things like %252e%252e. This is
> mostly copy/paste from the IIS module
You have me way
Jean-Frederic wrote:
On Mon, 2007-06-04 at 12:08 +, [EMAIL PROTECTED] wrote:
Author: mturk
Date: Mon Jun 4 05:08:33 2007
New Revision: 544137
URL: http://svn.apache.org/viewvc?view=rev&rev=544137
Log:
Add simple URI normalizer that can deal with things like %252e%252e. This is
mostly copy
On Mon, 2007-06-04 at 12:08 +, [EMAIL PROTECTED] wrote:
> Author: mturk
> Date: Mon Jun 4 05:08:33 2007
> New Revision: 544137
>
> URL: http://svn.apache.org/viewvc?view=rev&rev=544137
> Log:
> Add simple URI normalizer that can deal with things like %252e%252e. This is
> mostly copy/paste f
Author: mturk
Date: Mon Jun 4 05:08:33 2007
New Revision: 544137
URL: http://svn.apache.org/viewvc?view=rev&rev=544137
Log:
Add simple URI normalizer that can deal with things like %252e%252e. This is
mostly copy/paste from the IIS module
Modified:
tomcat/connectors/trunk/jk/native/common/j
18 matches
Mail list logo
