I'm seem to be getting into a habit of clicking "Send" instead of "Save". :(
I think this is something that to some degree is a necessary evil. Hopefully I will be able to tell more when I can get back into the code. The trick is allowing this "okay" URL to succeed while preventing malicious uses of "%2F" from also succeeding. Cheers, Larry > -----Original Message----- > From: Larry Isaacs > Sent: Thursday, February 06, 2003 8:02 AM > To: Tomcat Developers List > Subject: RE: cvs commit: > jakarta-tomcat-connectors/jk/native2/server/isapi jk_isapi_plugin.c > > > > > > -----Original Message----- > > From: Ignacio J. Ortega [mailto:[EMAIL PROTECTED]] > > Sent: Thursday, February 06, 2003 4:51 AM > > To: 'Tomcat Developers List' > > Subject: RE: cvs commit: > > jakarta-tomcat-connectors/jk/native2/server/isapi jk_isapi_plugin.c > > > > > > Larry, > > > > > > > > Thanks. The restored mod_jk behavior is the same as > > > Tomcat 3.3.x with <DecodeInterceptor ... safe="true"/>, > > > the default. Unsafe escapes give 403's. We can > > > add a similar option to mod_jk to turn off the checking. > > > Though, I can't image a situation where it would make > > > sense to accept the risks to gain access to these escapes. > > > > The problem is that i_r2.dll is spitting 403 on any URL > that contains > > %2F, remeber fuilter do see ALL the request that pass for the IIS > > server, we are rejecting URL NOT for tomcat, like in > /test%2Ftest.asp, > > this is the wrong behaviour the user seeing, and i think > it's a little > > agressive, dont you? so this needs to be solved.. > > > > Saludos, > > Ignacio J. Ortega > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
