On Sat, 2007-06-09 at 23:15 +0200, Remy Maucherat wrote:
Mark Thomas wrote:
If we re-encoded the uri before sending it to Tomcat that would meet
all of the above requirements wouldn't it?
I don't see how reencoding the URI would be possible: it will mess up
character encoding, and may
On Sat, 2007-06-09 at 23:15 +0200, Remy Maucherat wrote:
Mark Thomas wrote:
If we re-encoded the uri before sending it to Tomcat that would meet
all of the above requirements wouldn't it?
I don't see how reencoding the URI would be possible: it will mess up
character encoding, and may
Jean-Frederic wrote:
On Sat, 2007-06-09 at 23:15 +0200, Remy Maucherat wrote:
Mark Thomas wrote:
If we re-encoded the uri before sending it to Tomcat that would meet
all of the above requirements wouldn't it?
I don't see how reencoding the URI would be possible: it will mess up
character
Mark Thomas wrote:
If we re-encoded the uri before sending it to Tomcat that would meet
all of the above requirements wouldn't it?
I don't see how reencoding the URI would be possible: it will mess up
character encoding, and may not correspond to the original URI.
How does it work in
Mark Thomas wrote:
Single ajp13 worker
jkMount /jsp-examples/* worker1
A simple 'hello world' html file was created at (directories created
where required):
appBase/jsp-examples/%2e%2e/servlets-examples/index.html
Test 1: Tomcat only
Mladen Turk wrote:
Mark Thomas wrote:
mod_jk 1.2.23 (with default passing r-unparsed_uri) will return 404
from Tomcat becasue it will pass the original uri, not the one Httpd
already unfolded)
This is correct and provides consistent behaviour for direct to Tomcat
access and access via
Mark Thomas wrote:
Did I mention that uri is *not* decoded twice?
You did and I still don't agree. The root cause of CVE-2007-1860 was a
double decoding. Once in httpd/mod_jk and once in Tomcat.
Why do you don't agree?
Please provide a use case and confirm your statements are
legitimate.
Mark Thomas wrote:
As I see it, we have two options:
a) Prevent Tomcat from decoding the uri a second time at step 7 above
b) Re-encode the uri in mod_jk between steps 5 and 6
The problem with b) is that we can't easily tell what characters were
previously encoded and need to be re-encoded. b)
Remy Maucherat wrote:
Mark Thomas wrote:
As I see it, we have two options:
a) Prevent Tomcat from decoding the uri a second time at step 7 above
b) Re-encode the uri in mod_jk between steps 5 and 6
I think:
- it's the proxy which should have options for adapting to what the
proxied server
Mladen Turk wrote:
Mark Thomas wrote:
Did I mention that uri is *not* decoded twice?
You did and I still don't agree. The root cause of CVE-2007-1860 was a
double decoding. Once in httpd/mod_jk and once in Tomcat.
Why do you don't agree?
Please provide a use case and confirm your
Mladen Turk wrote:
William A. Rowe, Jr. wrote:
[EMAIL PROTECTED] wrote:
Add simple URI normalizer that can deal with things like %252e%252e.
This is mostly copy/paste from the IIS module
You have me way confused ;-)
How it works:
Imagine you have two applications on Tomcat appA and
Author: mturk
Date: Mon Jun 4 05:08:33 2007
New Revision: 544137
URL: http://svn.apache.org/viewvc?view=revrev=544137
Log:
Add simple URI normalizer that can deal with things like %252e%252e. This is
mostly copy/paste from the IIS module
Modified:
On Mon, 2007-06-04 at 12:08 +, [EMAIL PROTECTED] wrote:
Author: mturk
Date: Mon Jun 4 05:08:33 2007
New Revision: 544137
URL: http://svn.apache.org/viewvc?view=revrev=544137
Log:
Add simple URI normalizer that can deal with things like %252e%252e. This is
mostly copy/paste from the
Jean-Frederic wrote:
On Mon, 2007-06-04 at 12:08 +, [EMAIL PROTECTED] wrote:
Author: mturk
Date: Mon Jun 4 05:08:33 2007
New Revision: 544137
URL: http://svn.apache.org/viewvc?view=revrev=544137
Log:
Add simple URI normalizer that can deal with things like %252e%252e. This is
mostly
[EMAIL PROTECTED] wrote:
Author: mturk
Date: Mon Jun 4 05:08:33 2007
New Revision: 544137
URL: http://svn.apache.org/viewvc?view=revrev=544137
Log:
Add simple URI normalizer that can deal with things like %252e%252e. This is
mostly copy/paste from the IIS module
You have me way
William A. Rowe, Jr. wrote:
[EMAIL PROTECTED] wrote:
Author: mturk
Date: Mon Jun 4 05:08:33 2007
New Revision: 544137
URL: http://svn.apache.org/viewvc?view=revrev=544137
Log:
Add simple URI normalizer that can deal with things like %252e%252e. This is
mostly copy/paste from the IIS module
16 matches
Mail list logo