Hi, I've been looking into [1] which is - essentially - that a request for
http://<hostname>/examples/servlets/servlet/RequestInfoExample/WEB-INF will fail when it should be allowed. Currently the JK ISAPI redirector rejects any request with a path segment that is WEB-INF or META-INF irrespective of case. I'd like to propose removing this check. My reasons are: - It is unnecessary. Tomcat will reject all attempts to directly access the contents of WEB-INF or META-INF - It triggers false positives as IIS can't tell which part of a URI is the context path. For example, "/foo/bar/META-INF" is legal in the ROOT context but illegal if the context path is /foo/bar - No such restriction exists for httpd (there is a restriction when JkAutoAlias is used but that looks correct to me) Mark [1] https://bz.apache.org/bugzilla/show_bug.cgi?id=60745 --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
