William A. Rowe, Jr. wrote:
[EMAIL PROTECTED] wrote:
Author: mturk
Date: Mon Jun 4 05:08:33 2007
New Revision: 544137
URL: http://svn.apache.org/viewvc?view=rev&rev=544137
Log:
Add simple URI normalizer that can deal with things like %252e%252e. This is
mostly copy/paste from the IIS module
You have me way confused ;-)
Right. I confused many. Just look at the thread about the subject.
Almost nobody understood what was I talking about.
The uri you are processing in the httpd connector has already been unfolded.
So your desire is to double-unfold the uri?
No. Nothing is neither unfolded nor double unfolded.
This is internal for map_uri_to_worker.
How it works:
Imagine you have two applications on Tomcat appA and appB, and
you wish *only* to expose the appA via
JkMount /appA/* worker
Request:
http://host/appA/%252e%252e/appB/
mod_jk 1.2.22 (with default passing r->uri) will serve /appB/
mod_jk 1.2.23 (with default passing r->unparsed_uri) will return 404 from Tomcat
becasue it will pass the original uri, not the one Httpd already
unfolded)
mod_jk 1.2.24 will return 404 from Httpd because there is no JkMount /appB/*
This has some very ugly side
effects for legitimately escaped paths, and if it is a security precaution,
don't you just leave yet-a-new-hole for triply-folded uris?
Again, no. It doesn't touch the original uri.
Request for http://host/appA/%252e%252e/appB/ will be unfolded by
httpd to http://host/appA/%2e%2e/appB/ before it hits mod_jk.
Inside map_uri_to_worker it will be unescped (locally) to
/appA/../appB/ and the normalized to /appB/ and then it looks for
mounted path. In case one have JkMount /* or JkMount /appB/*, the
original uri host/appA/%2e%2e/appB/ will be passed to Tomcat.
Regards,
Mladen.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
