On Fri, Apr 11, 2008 at 4:51 AM, Jess Holle [EMAIL PROTECTED] wrote:
Agreed -- but that draws me back to the need for an option (or default
behavior!) in mod_proxy_ajp wherein the URL passed to via AJP is not
decoded.
The thing is that it is news to me that mod_proxy_ajp passes decoded
URLs
We have some servlets that take rather general path-info's. When these
include a /properly escaped /semicolon, invoking getPathInfo() in Tomcat
results in a truncated path info.
Is this a known bug?
For example, one might have the request
Jess Holle schrieb:
We have some servlets that take rather general path-info's. When these
include a /properly escaped /semicolon, invoking getPathInfo() in Tomcat
results in a truncated path info.
Is this a known bug?
For example, one might have the request
You're right -- this works fine in the direct case.
So I need to file a bug against mod_proxy_ajp instead? Or is there some
chance this is in the AJP connector?
Rainer Jung wrote:
So are you saying, that th request goes through httpd/mod_proxy or
mod_jk? If so, you should first test with
Is there any reasonable way I can tell where the issue resides,
mod_proxy_ajp or the Tomcat AJP connector.
I'm using Apache 2.2.8 and the Java (non-native, non-NIO) AJP
connector. [The native connector is just too painful to build on half a
dozen platforms...]
Jess Holle wrote:
You're
Jess Holle wrote:
Is there any reasonable way I can tell where the issue resides,
mod_proxy_ajp or the Tomcat AJP connector.
I'll do a quick test and get back to you.
Mark
-
To start a new topic, e-mail:
Jess Holle wrote:
You're right -- this works fine in the direct case.
So I need to file a bug against mod_proxy_ajp instead? Or is there some
chance this is in the AJP connector?
Only if there is a bug - we haven't shown that yet ;)
Could you provide some version numbers please (httpd,
Mark Thomas wrote:
Jess Holle wrote:
Is there any reasonable way I can tell where the issue resides,
mod_proxy_ajp or the Tomcat AJP connector.
I'll do a quick test and get back to you.
Looks like a mod_proxy_ajp bug/configuration error.
Using mod_jk (1.2.24-dev but relevant code hasn't
Mark Thomas wrote:
Jess Holle wrote:
You're right -- this works fine in the direct case.
So I need to file a bug against mod_proxy_ajp instead? Or is there
some chance this is in the AJP connector?
Only if there is a bug - we haven't shown that yet ;)
Could you provide some version numbers
Jess Holle wrote:
Mark Thomas wrote:
Jess Holle wrote:
You're right -- this works fine in the direct case.
So I need to file a bug against mod_proxy_ajp instead? Or is there
some chance this is in the AJP connector?
Only if there is a bug - we haven't shown that yet ;)
Could you provide
Mark Thomas wrote:
Jess Holle wrote:
Mark Thomas wrote:
Jess Holle wrote:
You're right -- this works fine in the direct case.
So I need to file a bug against mod_proxy_ajp instead? Or is there
some chance this is in the AJP connector?
Only if there is a bug - we haven't shown that yet ;)
Jess Holle wrote:
Mark Thomas wrote:
Jess Holle wrote:
Mark Thomas wrote:
Jess Holle wrote:
You're right -- this works fine in the direct case.
So I need to file a bug against mod_proxy_ajp instead? Or is
there some chance this is in the AJP connector?
Only if there is a bug - we haven't
Jess Holle wrote:
Mark Thomas wrote:
I couldn't see anything either. This looks like a mod_proxy_ajp
bug/missing feature.
I jumped the gun once by filing this against Tomcat, but it seems
everything is pointing to mod_proxy_ajp. Is it time to file a bug
against it?
Looks like it to me.
Mark Thomas wrote:
Jess Holle wrote:
Mark Thomas wrote:
I couldn't see anything either. This looks like a mod_proxy_ajp
bug/missing feature.
I jumped the gun once by filing this against Tomcat, but it seems
everything is pointing to mod_proxy_ajp. Is it time to file a bug
against it?
Looks
On Fri, Apr 11, 2008 at 12:19 AM, Jess Holle [EMAIL PROTECTED] wrote:
Done. [https://issues.apache.org/bugzilla/show_bug.cgi?id=44803]
Guys, you've been going crazy about a (known) security issue: CVE-2007-1860
See http://tomcat.apache.org/security-jk.html
Rémy
Jess Holle schrieb:
Mark Thomas wrote:
Jess Holle wrote:
Mark Thomas wrote:
I couldn't see anything either. This looks like a mod_proxy_ajp
bug/missing feature.
I jumped the gun once by filing this against Tomcat, but it seems
everything is pointing to mod_proxy_ajp. Is it time to file a
Rémy Maucherat schrieb:
On Fri, Apr 11, 2008 at 12:19 AM, Jess Holle [EMAIL PROTECTED] wrote:
Done. [https://issues.apache.org/bugzilla/show_bug.cgi?id=44803]
Guys, you've been going crazy about a (known) security issue: CVE-2007-1860
See http://tomcat.apache.org/security-jk.html
Rémy
On Fri, Apr 11, 2008 at 1:58 AM, Rainer Jung [EMAIL PROTECTED] wrote:
Rémy,
I know that we cleaned reencoding of forwarded URLs up in the context of
the CVE and mod_jk. The semicolon wasn't involved in the CVE though and at
that time it would have been easier, if the AJP connectors had
Rainer Jung wrote:
Hmmm. Unfortunately I couldn't follow the thread earlier.
As far as I know the problem is the following:
A semicolon is used to separate the jsessionid in case you are using
URL encoded sessions. As far as I remember the AJP connnector does
*not* recognize %3Bjsessionid.
Rémy Maucherat wrote:
On Fri, Apr 11, 2008 at 1:58 AM, Rainer Jung [EMAIL PROTECTED] wrote:
Rémy,
I know that we cleaned reencoding of forwarded URLs up in the context of
the CVE and mod_jk. The semicolon wasn't involved in the CVE though and at
that time it would have been easier, if the
20 matches
Mail list logo
