On Thu, 27 Jun 2003 [EMAIL PROTECTED] wrote:
billbarker 2003/06/26 19:54:18
Modified: jk/native/common jk_uri_worker_map.c jk_uri_worker_map.h Log: Fix problem with URLs that contain "//".
This is essentially what Apache/httpd does in location_walk.
Make sure you realize that, especially on windows, this is unlikely to be sufficient to fix this class of problems unless there is other code somewhere that I didn't see when I checked.
What happens, for example, if you have a directory /directory/ that also has a 8.3 name direct~1 and access the direct~1 form of the name? What prevents the rule mapping /directory/*.jsp to tomcat from being bypassed?
This is one of the reasons why the Apache documentation tells you never to use a Location section to protect or control access to the filesystem, but instead to use a Directory section. Due to filename variance there are many different filenames, and hence URLs, that can be used to access the same actual file bypassing the protection (in this case mapping). This requires the filename be canonicalized for comparisons, which is partly done in directory_walk() in Apache.
Certainly, doing this right is complex. But that is one of the exact reasons I run Apache in front of Tomcat and why I want Tomcat and the connectors to it to have the smallest possible duplicate codepath.
If you want to be very secure, you sue Apache in front of Tomcat, and tomcats located on other machines.
In such case you use ajp13, and with this configuration, I DIDN'T HAVE ANY PROBLEM with '//' since it's handle by tomcat (tested with 3.3.1a), since Apache web server couldn't read NON LOCAL DATAS isn't it ?
The general rule for security is to make use of JkMount to ROOT :
JkMount /webappx/servlet/ ajpworker JkMount /webappx/*.jsp ajpworker
Or JkMount /webappx/* ajpworker
And in your jsp/servlet/..., you put ref to Apache handled element,
like images, html in /images, /text, /xxxx, which are NOT in the /webappx scope and so will be server by Apache.
You seems very aware of Apache Internals and I reiterate our proposal (at least Remy and I), to provide fixes.
And remember La Fontaine :
'Sans mentir, si votre ramage, Se rapporte à votre plumage, Vous êtes le phénix des hôtes de ces bois'
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
