tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bill Barker" <wbar...@wilshire.com>
Subject Re: [TC3.2.3][PATCH] mod_jk / mod_rewrite bug fix
Date Wed, 15 Aug 2001 18:06:46 GMT
Personally, I agree with Justin and Costin that mod_jk should be able to use
the uri field.

Having said that, I'd like to point out that the mod_jk.c in j-t-c is
flat-out broken.  It doesn't handle the case where the '?' itself is
encoded.  Since this case is part of a currently popular attack on IIS, it
will show up.
----- Original Message -----
From: "Justin Erenkrantz" <jerenkrantz@ebuilt.com>
To: <tomcat-dev@jakarta.apache.org>
Sent: Wednesday, August 15, 2001 8:27 AM
Subject: Re: [TC3.2.3][PATCH] mod_jk / mod_rewrite bug fix


> On Wed, Aug 15, 2001 at 08:56:45AM -0400, Keith Wannamaker wrote:
> > I am concerned that the loss of original escaping
> > will break somebody.  For instance:
>
> As Costin pointed out, the escaping of a URI does not change its
> semantics - they should be treated as identical by anyone who follows
> the URI spec.  Escaping where it wasn't escaped *shouldn't* break
> anyone.
>
> And, the whole question is what does Tomcat see the request as?  I
> could make a case that it should never know about the unparsed_uri,
> but only the uri that httpd finally resolved to and that mod_jk
> picked up.  -- justin
>
>


Mime
View raw message