FreeBSD 4.8-RELEASE, apache 1.3.27 w/ mod-ssl 2.8.14, mod_jk 1.2.3 and 1.2.4. Tomcat version is irrelevant since the request never leaves apache, but anyway, it is tomcat 3.3.1a.
JkMount /pp/system/*jsp
[Wed Jun 25 01:32:48 2003] [jk_uri_worker_map.c (460)]: Into jk_uri_worker_map_t::map_uri_to_worker
[Wed Jun 25 01:32:48 2003] [jk_uri_worker_map.c (477)]: Attempting to map URI '/pp/entrance/login.jsp'
[Wed Jun 25 01:32:48 2003] [jk_uri_worker_map.c (558)]: jk_uri_worker_map_t::map_uri_to_worker, Found a suffix match tomcat -> *.jsp
[Wed Jun 25 01:33:14 2003] [jk_uri_worker_map.c (460)]: Into jk_uri_worker_map_t::map_uri_to_worker
[Wed Jun 25 01:33:14 2003] [jk_uri_worker_map.c (477)]: Attempting to map URI '//pp/entrance/login.jsp'
[Wed Jun 25 01:33:14 2003] [jk_uri_worker_map.c (599)]: jk_uri_worker_map_t::map_uri_to_worker, done without a match
map_uri_to_worker just makes an exact match, in my case "//pp/system" against "/pp/system/", actually on line 485:
if(0 == strncmp(uwr->context,
uri,
uwr->ctxt_len)) {double slashes after /pp/system/ are OK, they will be sent on to tomcat, which has code to handle this.
I enclose a lazy patch that makes double slashes in any request to a jsp file, up to the length of the configured context, to be classed as a security fraud. This will make mod_jk handle this request to tomcat anyway. Note that in the example above, this means that tomcat will get any request to a jsp file where there is double slashes in the first 12 characters (12==strlen("/pp/system/");). Of course, tomcat will issue a 404 if it has no file to serve, but without this patch, apache would do the 404 in that case. AFAIK, this hardly matters, but confuse someone? Confusion is probably less than without the patch, though... ;-)
Cheers, Palle
--On tisdag, juni 24, 2003 19.51.43 +0200 Yann Cébron <[EMAIL PROTECTED]> wrote:
Hello Palle,
I can confirm this bug on Win2K using Apache 2.0.44 with TC4.1.24 and setting mod_jk to auto-config. What's your exact setup regarding mod_jk ?
Greetings,
Yann
--- common/jk_uri_worker_map.c.orig Wed Jun 25 03:43:05 2003
+++ common/jk_uri_worker_map.c Wed Jun 25 03:43:10 2003
@@ -156,6 +156,16 @@
*/
return i;
}
+ if (strnstr(uri, "//", uw_map->maps[i]->ctxt_len)) {
+ /*
+ * Security violation !!!
+ * The request to a file to a file with a
+ * configured jsp suffix has "//" (multiple
+ * slashes). If we don't expect a fraud here,
+ * apache will serve the jsp source code
+ */
+ return i;
+ }
}
}
}--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
