Apache2.0 + mod_jk + JNI + tc3.3 gives me the correct answer,
404 ( with the correct URI - /?A=B.jsp ). Note that typing
the unencoded version is returning the correct answer too, i.e.
index.html.
What version of apache are you using ?
Costin
On Wed, 15 Aug 2001, Bill Barker wrote:
> It is actually worse than that. TC3.3B1 (with the mod_jk that it ships
> with, I haven't tried j-t-c yet) gives a directory listing in response to:
> http://myserver/%3f%41%3d%42.jsp
> ----- Original Message -----
> From: <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>; "Bill Barker"
> <[EMAIL PROTECTED]>
> Sent: Wednesday, August 15, 2001 11:44 AM
> Subject: Re: [TC3.2.3][PATCH] mod_jk / mod_rewrite bug fix
>
>
> > On Wed, 15 Aug 2001, Bill Barker wrote:
> >
> > > Personally, I agree with Justin and Costin that mod_jk should be able to
> use
> > > the uri field.
> > >
> > > Having said that, I'd like to point out that the mod_jk.c in j-t-c is
> > > flat-out broken. It doesn't handle the case where the '?' itself is
> > > encoded. Since this case is part of a currently popular attack on IIS,
> it
> > > will show up.
> >
> > Interesting finding. However tomcat decoder should be able to do so - if
> > it doesn't we must fix it. Can you check against 3.3beta1 ?
> >
> > As a note, IMHO it is perfectly legal to have an encoded '?' in the URI,
> > and the behavior should be: the '?' will be decoded _after_ the URI is
> > separated from query string, and it's used as part of the file name.
> >
> > AFAIK there is no reason a file ( or pathInfo ) can't have the '?' char
> > inside, and the URI spec allow that.
> >
> > ( of course, paranoia may force us to remove this kind of behavior ).
> >
> > Costin
> >
> >
> >
> >
>
