Am 21.08.2018 um 14:05 schrieb Mark Thomas:
Hi,
I've been looking into [1] which is - essentially - that a request for
http://<hostname>/examples/servlets/servlet/RequestInfoExample/WEB-INF
will fail when it should be allowed.
Currently the JK ISAPI redirector rejects any request with a path
segment that is WEB-INF or META-INF irrespective of case.
I'd like to propose removing this check. My reasons are:
- It is unnecessary. Tomcat will reject all attempts to directly access
the contents of WEB-INF or META-INF
- It triggers false positives as IIS can't tell which part of a URI is
the context path. For example, "/foo/bar/META-INF" is legal in the
ROOT context but illegal if the context path is /foo/bar
- No such restriction exists for httpd (there is a restriction when
JkAutoAlias is used but that looks correct to me)
Mark
[1] https://bz.apache.org/bugzilla/show_bug.cgi?id=60745
Not knowing enough about IIS, the check is old (at least version 1.2.0
and also existed in jk2. In jk2 there was a comment "XXX Make it a
default checking in uri worker map" indicating, that it was originally
meant to be used not only for IIS.
All in all I agree, that the check must exist in the AJP back end (such
as Tomcat). I don't know, how e.g. Jetty behaves but since mod_jk
doesn't have the check either, I do not expect a problem removing it
(and documenting the removal).
Thanks for raising this,
Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
