On Fri, 27 Jun 2003, Henri Gomez wrote: > If you want to be very secure, you sue Apache in front of Tomcat, > and tomcats located on other machines. > > In such case you use ajp13, and with this configuration, I DIDN'T HAVE > ANY PROBLEM with '//' since it's handle by tomcat (tested with 3.3.1a), > since Apache web server couldn't read NON LOCAL DATAS isn't it ? > > The general rule for security is to make use of JkMount to ROOT : > > JkMount /webappx/servlet/ ajpworker > JkMount /webappx/*.jsp ajpworker > > Or JkMount /webappx/* ajpworker > > > And in your jsp/servlet/..., you put ref to Apache handled element, > like images, html in /images, /text, /xxxx, which are NOT in the > /webappx scope and so will be server by Apache.
Thanks for the suggestion, it certainly is one option that can work for some people in some situations. However, it isn't a very good general purpose solution for a variety of reasons, and certainly should not be necessary. > You seems very aware of Apache Internals and I reiterate our proposal > (at least Remy and I), to provide fixes. Enough with the attitude. I'm just trying to point out specific instances where things are not or may not be handled properly so perhaps someone can fix them if they so desire. I am making no demands that anyone jump up and do so, nor blaming anyone for anything, but simply pointing out what is broken and why. Is it reallly the case around here that people don't want to hear about specifics of bugs and security holes that impact a large percent of users unless a patch is provided? All I am doing is trying to make sure people are aware that the particular case of a double '/' is only a subset of the more general issue that has to be dealt with. Your "if you don't like it go fix it yourself" responses are not appreciated nor are they condusive to making people feel welcome or in any mood to contribute anything. I already said I don't have time to do that right now, but will likely do so in the future if it is still broken by the time I need it to work right. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]