tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bill Barker" <wbar...@wilshire.com>
Subject Fw: [TC3.2.3][PATCH] mod_jk / mod_rewrite bug fix
Date Wed, 15 Aug 2001 19:28:46 GMT

----- Original Message -----
From: "Bill Barker" <wbarker@wilshire.com>
To: <cmanolache@yahoo.com>
Sent: Wednesday, August 15, 2001 12:15 PM
Subject: Re: [TC3.2.3][PATCH] mod_jk / mod_rewrite bug fix


> It is actually worse than that.  TC3.3B1 (with the mod_jk that it ships
> with, I haven't tried j-t-c yet) gives a directory listing in response to:
> http://myserver/%3f%41%3d%42.jsp
> ----- Original Message -----
> From: <cmanolache@yahoo.com>
> To: <tomcat-dev@jakarta.apache.org>; "Bill Barker"
> <william.barker@wilshire.com>
> Sent: Wednesday, August 15, 2001 11:44 AM
> Subject: Re: [TC3.2.3][PATCH] mod_jk / mod_rewrite bug fix
>
>
> > On Wed, 15 Aug 2001, Bill Barker wrote:
> >
> > > Personally, I agree with Justin and Costin that mod_jk should be able
to
> use
> > > the uri field.
> > >
> > > Having said that, I'd like to point out that the mod_jk.c in j-t-c is
> > > flat-out broken.  It doesn't handle the case where the '?' itself is
> > > encoded.  Since this case is part of a currently popular attack on
IIS,
> it
> > > will show up.
> >
> > Interesting finding. However tomcat decoder should be able to do so - if
> > it doesn't we must fix it. Can you check against 3.3beta1 ?
> >
> > As a note, IMHO it is perfectly legal to have an encoded '?' in the URI,
> > and the behavior should be: the '?' will be decoded _after_ the URI is
> > separated from query string, and it's used as part of the file name.
> >
> > AFAIK there is no reason a file ( or pathInfo ) can't have the '?' char
> > inside, and the URI spec allow that.
> >
> > ( of course, paranoia may force us to remove this kind of behavior ).
> >
> > Costin
> >
> >
> >
> >
>


Mime
View raw message