On Fri, 27 Jun 2003, Henri Gomez wrote:

> If you want to be very secure, you sue Apache in front of Tomcat,
> and tomcats located on other machines.
> In such case you use ajp13, and with this configuration, I DIDN'T HAVE
> ANY PROBLEM with '//' since it's handle by tomcat (tested with 3.3.1a),
> since Apache web server couldn't read NON LOCAL DATAS isn't it ?
> The general rule for security is to make use of JkMount to ROOT :
> JkMount /webappx/servlet/ ajpworker
> JkMount /webappx/*.jsp    ajpworker
> Or JkMount /webappx/* ajpworker
> And in your jsp/servlet/..., you put ref to Apache handled element,
> like images, html in /images, /text, /xxxx, which are NOT in the
> /webappx scope and so will be server by Apache.

Thanks for the suggestion, it certainly is one option that can work
for some people in some situations.  However, it isn't a very good
general purpose solution for a variety of reasons, and certainly should
not be necessary.

> You seems very aware of Apache Internals and I reiterate our proposal
> (at least Remy and I), to provide fixes.

Enough with the attitude.  I'm just trying to point out specific
instances where things are not or may not be handled properly so
perhaps someone can fix them if they so desire.  I am making no
demands that anyone jump up and do so, nor blaming anyone for
anything, but simply pointing out what is broken and why.

Is it reallly the case around here that people don't want to hear about
specifics of bugs and security holes that impact a large percent of users
unless a patch is provided?

All I am doing is trying to make sure people are aware that the particular
case of a double '/' is only a subset of the more general issue that has
to be dealt with.  Your "if you don't like it go fix it yourself"
responses are not appreciated nor are they condusive to making people feel
welcome or in any mood to contribute anything.  I already said I don't
have time to do that right now, but will likely do so in the future if it
is still broken by the time I need it to work right.

To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to