https://issues.apache.org/bugzilla/show_bug.cgi?id=56005
Bug ID: 56005
Summary: ISAPI redirector WEB-INF/META-INF Path Check false
positive (#51769 is back)
Product: Tomcat Connectors
Version: 1.2.37
Hardware: PC
Status: NEW
Severity: normal
Priority: P2
Component: isapi
Assignee: dev@tomcat.apache.org
Reporter: ringz...@nym.hush.com
All:
It looks like the path checking to determin if the ISAPI redirector is serving
up something from the WEB-INF or META-INF directories is either broken again,
or Ranier's solution from Bug 51769 wasn't committed / carried forward.
Personally, I used Chris Schultz's patch on 1.2.32, just upgraded to 1.2.37 and
found the problem had returned.
Note that this does not necessarily affect mod_jk, I suspect this has more to
do with how IIS enumerates path components. Apache sends a relative path to
mod_jk on windows which (in my situation) does not include WEB-INF. IIS sends
an absolute pathname, which does include WEB-INF in the path to isapi_redirect
and isapi_redirect generates a 404 error.
For various purposes, I'd like to nominate that a mechanism to disable the
default behavior:
In handle_notify_event (line 1994) -
Add a check before 'if (uri_is_web_inf(uri))' to see if a variable has been set
via isapi_redirect.properties that defines whether URI path checking for
WEB-INF / META-INF should be done.
That way, the server admin can decide whether IIS, Tomcat or the redirector
should do path checking (or all three). This will also aid in webapp debugging
and backward compatibility.
System:
Windows Server 2008R2 x64
IIS 7.5
Tomcat 7.0.35 x64
isapi_redirector.dll version 1.2.37 x64
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
