On 11/06/2020 07:51, jean-frederic clere wrote: > On 10/06/2020 11:53, Ruediger Pluem wrote: >> >> >> On 6/9/20 12:05 PM, jean-frederic clere wrote: >>> Hi, >>> >>> Basically it adds servletnormalizecheck to mod_proxy for >>> ProxyPass/ProxyPassMatch and mod_rewrite when using P >>> I have tested the following uses: >>> #ProxyPass /docs ajp://localhost:8009/docs secret=%A1b2!@ >>> servletnormalizecheck >>> >>> #ProxyPassMatch "^/docs(.*)$" "ajp://localhost:8009/docs$1" >>> secret=%A1b2!@ servletnormalizecheck >>> >>> #RewriteEngine On >>> #RewriteRule "^/docs(.*)$" "ajp://localhost:8009/docs$1" [P,SNC] >>> #<Proxy "ajp://localhost:8009/docs"> >>> #ProxySet connectiontimeout=5 timeout=30 secret=%A1b2!@ >>> #</Proxy> >>> >>> #<Location "/docs"> >>> # ProxyPass ajp://localhost:8009/docs secret=%A1b2!@ >>> servletnormalizecheck >>> #</Location> >>> >>> What is not supported is >>> curl -v --path-as-is >>> "http://localhost:8000/docs/..;foo=bar/;foo=bar/test/index.jsp" >>> >>> that could be remapped to >>> ProxyPass /test ajp://localhost:8009/test secret=%A1b2!@ >>> servletnormalizecheck >>> or a <location test/> >>> >>> Comments? >> >> I understood from Mark that the request you do above with curl should >> not be denied but just mapped to /test. >> But rethinking that, it becomes real fun: For mapping we should use >> the URI stripped off path parameters and then having done the >> shrinking operation (servlet normalized) but we should use the >> original URI having done the shrinking operation with path >> parameters to sent to the backend. That might work for a simple prefix >> matching, but it seems to be very difficult for regular >> expression scenarios where you might use complex captures from the >> matching to build the result. But if the matching was done >> against the servlet normalized URI the captures might be different, >> than the ones you would have got when doing the same against >> not normalized URI. So I am little bit lost here.
I can see how this gets complicated for regular expression scenarios. Since the servlet specification doesn't have the concept of regular expression mapping, I don't think the rationale for servletnormalize applies in that case. There is no expectation of how the mapping will occur from a servlet perspective so the httpd behaviour cannot be unexpected. Coming from a servlet perspective I have no view on what the 'correct' behaviour is in this case. I'll happily support whatever the httpd community thinks is best. >> What if we just have an option on virtual host base to drop path >> parameters of the following kind >> >> s#/([.]{0,2})(;[^/]*)/#/$1/g >> >> do the usual shrinking operation afterwards and just process them >> afterwards as usual. > > I think it makes sense to have it there but separated from the > servletnormalizecheck because that changes the whole <VirtualHost/> mapping > So I will add something like MergeSlashes which will map > http://localhost:8000/docs/..;foo=bar/;foo=bar/test/index.jsp > to /test > And arrange the proxy so that /docs/..;foo=bar/;foo=bar/test/index.jsp > is sent to the back-end. That sounds good to me. That is the expected mapping from a servlet perspective. Thanks for all your efforts on this. Mark