Why is mod_jk distributed both as 2.0.2 and 2.0.4?

2003-11-09 Thread Palle Girgensohn 
Hi!

How come this confusion about the latest version of mod_jk2? With the 
jakarta-tomcat-connectors-4.1.2X, a mod_jk2 version 2.0.4 is distributed. 
With 
http://www.apache.org/dist/jakarta/tomcat-connectors/jk2/source/jakarta-tom
cat-connectors-jk2-src-current.tar.gz, the version is 2.0.2. Which one is 
really current? Why this confusion?

Regards,
Palle Girgensohn
FreeBSD mod_jk port maintainer
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: mod_jk multiple slashes reveals jsp code

2003-06-25 Thread Palle Girgensohn 
setup:

FreeBSD 4.8-RELEASE, apache 1.3.27 w/ mod-ssl 2.8.14, mod_jk 1.2.3 and 
1.2.4. Tomcat version is irrelevant since the request never leaves apache, 
but anyway, it is tomcat 3.3.1a.

JkMount /pp/system/*jsp

[Wed Jun 25 01:32:48 2003]  [jk_uri_worker_map.c (460)]: Into 
jk_uri_worker_map_t::map_uri_to_worker
[Wed Jun 25 01:32:48 2003]  [jk_uri_worker_map.c (477)]: Attempting to map 
URI '/pp/entrance/login.jsp'
[Wed Jun 25 01:32:48 2003]  [jk_uri_worker_map.c (558)]: 
jk_uri_worker_map_t::map_uri_to_worker, Found a suffix match tomcat - *.jsp
[Wed Jun 25 01:33:14 2003]  [jk_uri_worker_map.c (460)]: Into 
jk_uri_worker_map_t::map_uri_to_worker
[Wed Jun 25 01:33:14 2003]  [jk_uri_worker_map.c (477)]: Attempting to map 
URI '//pp/entrance/login.jsp'
[Wed Jun 25 01:33:14 2003]  [jk_uri_worker_map.c (599)]: 
jk_uri_worker_map_t::map_uri_to_worker, done without a match

map_uri_to_worker just makes an exact match, in my case //pp/system 
against /pp/system/, actually on line 485:

   if(0 == strncmp(uwr-context,
   uri,
   uwr-ctxt_len)) {
double slashes after /pp/system/ are OK, they will be sent on to tomcat, 
which has code to handle this.

I enclose a lazy patch that makes double slashes in any request to a jsp 
file, up to the length of the configured context, to be classed as a 
security fraud. This will make mod_jk handle this request to tomcat anyway. 
Note that in the example above, this means that tomcat will get any request 
to a jsp file where there is double slashes in the first 12 characters 
(12==strlen(/pp/system/);). Of course, tomcat will issue a 404 if it has 
no file to serve, but without this patch, apache would do the 404 in that 
case. AFAIK, this hardly matters, but confuse someone? Confusion is 
probably less than without the patch, though... ;-)

Cheers,
Palle
--On tisdag, juni 24, 2003 19.51.43 +0200 Yann Cébron [EMAIL PROTECTED] 
wrote:

Hello Palle,

I can confirm this bug on Win2K using Apache 2.0.44 with TC4.1.24 and
setting mod_jk to auto-config. What's your exact setup regarding mod_jk ?
Greetings,

	Yann





--- common/jk_uri_worker_map.c.orig Wed Jun 25 03:43:05 2003
+++ common/jk_uri_worker_map.c  Wed Jun 25 03:43:10 2003
@@ -156,6 +156,16 @@
  */
 return i;
 }
+   if (strnstr(uri, //, uw_map-maps[i]-ctxt_len)) {
+/* 
+ * Security violation !!!
+* The request to a file to a file with a
+* configured jsp suffix has // (multiple
+* slashes). If we don't expect a fraud here,
+* apache will serve the jsp source code
+ */
+ return i;
+   }
 }
 }
 }

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: mod_jk multiple slashes reveals jsp code

2003-06-25 Thread Palle Girgensohn 


--On onsdag, juni 25, 2003 11.41.29 +0200 Henri Gomez [EMAIL PROTECTED] 
wrote:

Palle Girgensohn wrote:
setup:

FreeBSD 4.8-RELEASE, apache 1.3.27 w/ mod-ssl 2.8.14, mod_jk 1.2.3 and
1.2.4. Tomcat version is irrelevant since the request never leaves
apache, but anyway, it is tomcat 3.3.1a.
JkMount /pp/system/*jsp
Shouldn't it be :

JkMount /pp/system/*.jsp
Of course it is, sorry! I have the dot, I just missed writing in my email.





-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: mod_jk multiple slashes reveals jsp code

2003-06-25 Thread Palle Girgensohn 
--On onsdag, juni 25, 2003 11.16.02 +0200 Henri Gomez [EMAIL PROTECTED] 
wrote:

Palle Girgensohn wrote:
Hi,

When using mod_jk and apache13:

JkMount /app/*jsp ajp13

will redirect requests like http://server/app/foobar.jsp to tomcat, just
fine.
But, http://server//app/foobar.jsp will not be catched by JkMount, and
apache will send the jsp source code to the browser. Of course, a
rewrite can hinder this, but is it really meant to be this way? Is it
just me having problems?
Didn't have such behaviour with mod_jk 1.2.4 and tomcat 3.3.1a, got
a 404 instead.
BTW, I'm using

JkMount /app/* ajp13
That's a different rule, match rule instead of suffix rule. The same code 
is responsible, though. If you get a 404, it is apache that cannot find the 
file you try to access for some other reason. The request never gets to 
tomcat. I too get 404 with that rule when accessing servlets this way, but 
I get jsp source code.

Problem is that mod_jk only does a strncmp and never bothers to check for 
anomalities in the URL. The mod_jk design never cares about this problem, 
which is strange. It is coded this way on purpose. It not a bug, it is a 
design flaw. :(

/Palle



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

mod_jk multiple slashes reveals jsp code

2003-06-23 Thread Palle Girgensohn 
Hi,

When using mod_jk and apache13:

JkMount /app/*jsp ajp13

will redirect requests like http://server/app/foobar.jsp to tomcat, just 
fine.

But, http://server//app/foobar.jsp will not be catched by JkMount, and 
apache will send the jsp source code to the browser. Of course, a rewrite 
can hinder this, but is it really meant to be this way? Is it just me 
having problems?

/Palle

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: building mod_jk on freebsd 4.0

2000-12-06 Thread Palle Girgensohn 

Hi Jeremy!

I have exactly the same setup as you, and it works fine after
som tweaking. Here's what I had to do to Makefile.freebsd to
make it work. Maybe it will help?

--- Makefile.freebsd.orig   Tue Dec  5 18:51:22 2000
+++ Makefile.freebsdTue Dec  5 19:24:07 2000
@@ -1,18 +1,18 @@
 ## You need to edit this file - configure later :-)
 
-APACHE_HOME=/usr/local/apache
+APACHE_HOME=`apxs -q PREFIX`
 OS=freebsd
-APXS=${APACHE_HOME}/bin/apxs
+APXS=${APACHE_HOME}/sbin/apxs
 
-A13_FLAGS=-I${APACHE_HOME}/include
+A13_FLAGS=-I${APACHE_HOME}/include/apache
 
 ## I assume this one is set up already
-# JAVA_HOME=
+JAVA_HOME?=/usr/local/jdk1.2.2
 
 JAVA_INCL=-I${JAVA_HOME}/include -I${JAVA_HOME}/include/${OS}
 JAVA_LIB=-L${JAVA_HOME}/jre/lib/${ARCH}
-L${JAVA_HOME}/lib/${ARCH}/native_threads
 
-CFLAGS=-DHAVE_CONFIG_H -g -fpic  -DSHARED_MODULE -O2
-D_REENTRANT -pthread -DLINUX -Wall
+CFLAGS=-DHAVE_CONFIG_H -g -fpic  -DSHARED_MODULE -O -DFREEBSD
-Wall
 
 JK=../jk/
 SRCS=jk_ajp12_worker.c jk_connect.c jk_msg_buff.c jk_util.c
jk_ajp13.c \
@@ -32,7 +32,7 @@
 
 mod_jk.so: ${OBJS} mod_jk.o
$(APXS) -c -o mod_jk.so ${OBJS} mod_jk.o
-
+
 # $(CC) -shared -o mod_jk.so ${OBJS} mod_jk.o
 
 clean:

[PATCH] bad default charset encoding in jsp pages

2000-12-05 Thread Palle Girgensohn 

Hi!

jsp pages served by tomcat contain a bad charset string in
their http header. This is not understood by some non iso8859-1
systems/browsers. Macintosh w/ netscape 4.76, for example
will fail to understand that 8859_1 is actually ISO-8859-1.

According to 
jakarta-tomcat/src/webpages/docs/api/javax/servlet/ServletResponse.html,
the reply should be "ISO-8859-1". According to IANA,
the 8859_1 is *not* a way to say ISO-8859-1 in MIME headers
http://www.isi.edu/in-notes/iana/assignments/character-sets:

Name: ISO_8859-1:1987[RFC1345,KXS2]
MIBenum: 4
Source: ECMA registry
Alias: iso-ir-100
Alias: ISO_8859-1
Alias: ISO-8859-1 (preferred MIME name)
Alias: latin1
Alias: l1
Alias: IBM819
Alias: CP819
Alias: csISOLatin1

are all allowed ways to describe a character set. 8859_1 is
apparently not one of them, although Java uses this string
internally, which is fine...

Hence, I vote for my enclosed patch, so Mac users can benefit
from tomcat jsp pages. ;-)


To repeat:
create a simple jsp page with some latin1 characters, like åäö.
serve this page with tomcat to a Macintosh w/ netscape 4.76.
You won't get åäö, but other strange characters instead.


Cheers,
Palle
-- 
 Partitur Informationsteknik AB
Wenner-Gren Center +46 8 566 280 02  
113 46 Stockholm   +46 70 785 86 02  
Sweden [EMAIL PROTECTED]

Index: src/share/org/apache/jasper/compiler/Compiler.java
===
RCS file: 
/home/cvspublic/jakarta-tomcat/src/share/org/apache/jasper/compiler/Compiler.java,v
retrieving revision 1.19.2.2
diff -u -u -r1.19.2.2 Compiler.java
--- src/share/org/apache/jasper/compiler/Compiler.java  2000/08/28 17:48:24 
1.19.2.2
+++ src/share/org/apache/jasper/compiler/Compiler.java  2000/12/06 00:39:09
@@ -142,7 +142,7 @@
 //  - compiling the generated servlets (pass -encoding to javac).
 // XXX - There are really three encodings of interest.
 
-String jspEncoding = "8859_1";  // default per JSP spec
+String jspEncoding = "ISO-8859-1";  // default per JSP spec
 String javaEncoding = "UTF8";   // perhaps debatable?
 
// This seems to be a reasonable point to scan the JSP file