Why is mod_jk distributed both as 2.0.2 and 2.0.4?
Hi! How come this confusion about the latest version of mod_jk2? With the jakarta-tomcat-connectors-4.1.2X, a mod_jk2 version 2.0.4 is distributed. With http://www.apache.org/dist/jakarta/tomcat-connectors/jk2/source/jakarta-tom cat-connectors-jk2-src-current.tar.gz, the version is 2.0.2. Which one is really current? Why this confusion? Regards, Palle Girgensohn FreeBSD mod_jk port maintainer - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: mod_jk multiple slashes reveals jsp code
setup: FreeBSD 4.8-RELEASE, apache 1.3.27 w/ mod-ssl 2.8.14, mod_jk 1.2.3 and 1.2.4. Tomcat version is irrelevant since the request never leaves apache, but anyway, it is tomcat 3.3.1a. JkMount /pp/system/*jsp [Wed Jun 25 01:32:48 2003] [jk_uri_worker_map.c (460)]: Into jk_uri_worker_map_t::map_uri_to_worker [Wed Jun 25 01:32:48 2003] [jk_uri_worker_map.c (477)]: Attempting to map URI '/pp/entrance/login.jsp' [Wed Jun 25 01:32:48 2003] [jk_uri_worker_map.c (558)]: jk_uri_worker_map_t::map_uri_to_worker, Found a suffix match tomcat - *.jsp [Wed Jun 25 01:33:14 2003] [jk_uri_worker_map.c (460)]: Into jk_uri_worker_map_t::map_uri_to_worker [Wed Jun 25 01:33:14 2003] [jk_uri_worker_map.c (477)]: Attempting to map URI '//pp/entrance/login.jsp' [Wed Jun 25 01:33:14 2003] [jk_uri_worker_map.c (599)]: jk_uri_worker_map_t::map_uri_to_worker, done without a match map_uri_to_worker just makes an exact match, in my case //pp/system against /pp/system/, actually on line 485: if(0 == strncmp(uwr-context, uri, uwr-ctxt_len)) { double slashes after /pp/system/ are OK, they will be sent on to tomcat, which has code to handle this. I enclose a lazy patch that makes double slashes in any request to a jsp file, up to the length of the configured context, to be classed as a security fraud. This will make mod_jk handle this request to tomcat anyway. Note that in the example above, this means that tomcat will get any request to a jsp file where there is double slashes in the first 12 characters (12==strlen(/pp/system/);). Of course, tomcat will issue a 404 if it has no file to serve, but without this patch, apache would do the 404 in that case. AFAIK, this hardly matters, but confuse someone? Confusion is probably less than without the patch, though... ;-) Cheers, Palle --On tisdag, juni 24, 2003 19.51.43 +0200 Yann Cébron [EMAIL PROTECTED] wrote: Hello Palle, I can confirm this bug on Win2K using Apache 2.0.44 with TC4.1.24 and setting mod_jk to auto-config. What's your exact setup regarding mod_jk ? Greetings, Yann --- common/jk_uri_worker_map.c.orig Wed Jun 25 03:43:05 2003 +++ common/jk_uri_worker_map.c Wed Jun 25 03:43:10 2003 @@ -156,6 +156,16 @@ */ return i; } + if (strnstr(uri, //, uw_map-maps[i]-ctxt_len)) { +/* + * Security violation !!! +* The request to a file to a file with a +* configured jsp suffix has // (multiple +* slashes). If we don't expect a fraud here, +* apache will serve the jsp source code + */ + return i; + } } } } - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: mod_jk multiple slashes reveals jsp code
--On onsdag, juni 25, 2003 11.41.29 +0200 Henri Gomez [EMAIL PROTECTED] wrote: Palle Girgensohn wrote: setup: FreeBSD 4.8-RELEASE, apache 1.3.27 w/ mod-ssl 2.8.14, mod_jk 1.2.3 and 1.2.4. Tomcat version is irrelevant since the request never leaves apache, but anyway, it is tomcat 3.3.1a. JkMount /pp/system/*jsp Shouldn't it be : JkMount /pp/system/*.jsp Of course it is, sorry! I have the dot, I just missed writing in my email. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: mod_jk multiple slashes reveals jsp code
--On onsdag, juni 25, 2003 11.16.02 +0200 Henri Gomez [EMAIL PROTECTED] wrote: Palle Girgensohn wrote: Hi, When using mod_jk and apache13: JkMount /app/*jsp ajp13 will redirect requests like http://server/app/foobar.jsp to tomcat, just fine. But, http://server//app/foobar.jsp will not be catched by JkMount, and apache will send the jsp source code to the browser. Of course, a rewrite can hinder this, but is it really meant to be this way? Is it just me having problems? Didn't have such behaviour with mod_jk 1.2.4 and tomcat 3.3.1a, got a 404 instead. BTW, I'm using JkMount /app/* ajp13 That's a different rule, match rule instead of suffix rule. The same code is responsible, though. If you get a 404, it is apache that cannot find the file you try to access for some other reason. The request never gets to tomcat. I too get 404 with that rule when accessing servlets this way, but I get jsp source code. Problem is that mod_jk only does a strncmp and never bothers to check for anomalities in the URL. The mod_jk design never cares about this problem, which is strange. It is coded this way on purpose. It not a bug, it is a design flaw. :( /Palle - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
mod_jk multiple slashes reveals jsp code
Hi, When using mod_jk and apache13: JkMount /app/*jsp ajp13 will redirect requests like http://server/app/foobar.jsp to tomcat, just fine. But, http://server//app/foobar.jsp will not be catched by JkMount, and apache will send the jsp source code to the browser. Of course, a rewrite can hinder this, but is it really meant to be this way? Is it just me having problems? /Palle - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: building mod_jk on freebsd 4.0
Hi Jeremy! I have exactly the same setup as you, and it works fine after som tweaking. Here's what I had to do to Makefile.freebsd to make it work. Maybe it will help? --- Makefile.freebsd.orig Tue Dec 5 18:51:22 2000 +++ Makefile.freebsdTue Dec 5 19:24:07 2000 @@ -1,18 +1,18 @@ ## You need to edit this file - configure later :-) -APACHE_HOME=/usr/local/apache +APACHE_HOME=`apxs -q PREFIX` OS=freebsd -APXS=${APACHE_HOME}/bin/apxs +APXS=${APACHE_HOME}/sbin/apxs -A13_FLAGS=-I${APACHE_HOME}/include +A13_FLAGS=-I${APACHE_HOME}/include/apache ## I assume this one is set up already -# JAVA_HOME= +JAVA_HOME?=/usr/local/jdk1.2.2 JAVA_INCL=-I${JAVA_HOME}/include -I${JAVA_HOME}/include/${OS} JAVA_LIB=-L${JAVA_HOME}/jre/lib/${ARCH} -L${JAVA_HOME}/lib/${ARCH}/native_threads -CFLAGS=-DHAVE_CONFIG_H -g -fpic -DSHARED_MODULE -O2 -D_REENTRANT -pthread -DLINUX -Wall +CFLAGS=-DHAVE_CONFIG_H -g -fpic -DSHARED_MODULE -O -DFREEBSD -Wall JK=../jk/ SRCS=jk_ajp12_worker.c jk_connect.c jk_msg_buff.c jk_util.c jk_ajp13.c \ @@ -32,7 +32,7 @@ mod_jk.so: ${OBJS} mod_jk.o $(APXS) -c -o mod_jk.so ${OBJS} mod_jk.o - + # $(CC) -shared -o mod_jk.so ${OBJS} mod_jk.o clean:
[PATCH] bad default charset encoding in jsp pages
Hi! jsp pages served by tomcat contain a bad charset string in their http header. This is not understood by some non iso8859-1 systems/browsers. Macintosh w/ netscape 4.76, for example will fail to understand that 8859_1 is actually ISO-8859-1. According to jakarta-tomcat/src/webpages/docs/api/javax/servlet/ServletResponse.html, the reply should be "ISO-8859-1". According to IANA, the 8859_1 is *not* a way to say ISO-8859-1 in MIME headers http://www.isi.edu/in-notes/iana/assignments/character-sets: Name: ISO_8859-1:1987[RFC1345,KXS2] MIBenum: 4 Source: ECMA registry Alias: iso-ir-100 Alias: ISO_8859-1 Alias: ISO-8859-1 (preferred MIME name) Alias: latin1 Alias: l1 Alias: IBM819 Alias: CP819 Alias: csISOLatin1 are all allowed ways to describe a character set. 8859_1 is apparently not one of them, although Java uses this string internally, which is fine... Hence, I vote for my enclosed patch, so Mac users can benefit from tomcat jsp pages. ;-) To repeat: create a simple jsp page with some latin1 characters, like åäö. serve this page with tomcat to a Macintosh w/ netscape 4.76. You won't get åäö, but other strange characters instead. Cheers, Palle -- Partitur Informationsteknik AB Wenner-Gren Center +46 8 566 280 02 113 46 Stockholm +46 70 785 86 02 Sweden [EMAIL PROTECTED] Index: src/share/org/apache/jasper/compiler/Compiler.java === RCS file: /home/cvspublic/jakarta-tomcat/src/share/org/apache/jasper/compiler/Compiler.java,v retrieving revision 1.19.2.2 diff -u -u -r1.19.2.2 Compiler.java --- src/share/org/apache/jasper/compiler/Compiler.java 2000/08/28 17:48:24 1.19.2.2 +++ src/share/org/apache/jasper/compiler/Compiler.java 2000/12/06 00:39:09 @@ -142,7 +142,7 @@ // - compiling the generated servlets (pass -encoding to javac). // XXX - There are really three encodings of interest. -String jspEncoding = "8859_1"; // default per JSP spec +String jspEncoding = "ISO-8859-1"; // default per JSP spec String javaEncoding = "UTF8"; // perhaps debatable? // This seems to be a reasonable point to scan the JSP file