Very partial answer: for the apache part see http://httpd.apache.org/docs/2.2/mod/core.html#allowencodedslashes
By default apache httpd does not allow those requests, and denies them even before passing over to mod_jk. If allowed, it doesn't decode them. If you enable them in Apache and want to check, which URL we pass forward to Tomcat, set JkLogLevel debug and search for "Service". There is a log line, which gives the URL in exactly the encoding in which mod_jk forwards it to the backend. Regards, Rainer Christopher Schultz schrieb: > All, > > One of the unit tests is failing in the securityfilter project which > uses Tomcat (5.5) and httpunit for the tests themselves. > > Basically, a test written a loooong time ago seems to be failing after > the fix for a bug which involves decoding of %2F in a URL into a '/'. > > Either through mod_jk or directly to Tomcat's HTTP connector, now, any > request that has a / replaced with a %2F will not work. I'm pretty sure > this was a security fix. > > I was wondering if anyone could explain what the initial problem was, > why this was "fixed" and if it makes any sense for me to try to fix this > test in any meaningful way, or if it should be simply removed. > > (And yes, I have read this: > http://tomcat.apache.org/security-5.html#Fixed in Apache Tomcat 5.5.22, > 5.0.SVN. I still don't get it... shouldn't it work properly when using > the HTTP connector?) > > Thanks, > -chris --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
