On Fri, Apr 11, 2008 at 1:58 AM, Rainer Jung <[EMAIL PROTECTED]> wrote: > Rémy, > > I know that we cleaned reencoding of forwarded URLs up in the context of > the CVE and mod_jk. The semicolon wasn't involved in the CVE though and at > that time it would have been easier, if the AJP connectors had resolved > %3Bjsessionid (because then we wouldn't have needed a new JK forward > option).
%3Bjsessionid is not a session id. JK should not be passing a decoded URL, and that's pretty much the end of the story. Rémy --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]