tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bill Barker" <wbar...@wilshire.com>
Subject Re: [TC3.2.3][PATCH] mod_jk / mod_rewrite bug fix
Date Wed, 15 Aug 2001 19:46:32 GMT
Actually, I have an "index.jsp" file.

According to the logs (I haven't turned up the logging level yet, so the
information in mininal), I get:
Ctx() : Compiling: /?A=B.jsp to _0003fA_0003dB_0
The corresponding .java file just prints static HTML with a
<base href="file://localhost/path/to/ROOT/"><h1>/path/to/ROOT</h1>

followed by lines like:
<img align=middle src="doc:/lib/images/ftp/file.gif" width=32 height=32><a
href="index.jsp">index.jsp</a><br>
----- Original Message -----
From: <cmanolache@yahoo.com>
To: "Bill Barker" <william.barker@wilshire.com>
Sent: Wednesday, August 15, 2001 12:59 PM
Subject: Re: [TC3.2.3][PATCH] mod_jk / mod_rewrite bug fix


> On Wed, 15 Aug 2001, Bill Barker wrote:
>
> > It is actually worse than that.  TC3.3B1 (with the mod_jk that it ships
> > with, I haven't tried j-t-c yet) gives a directory listing in response
to:
> > http://myserver/%3f%41%3d%42.jsp
>
> If I translate this corectly, your request is
>   http://myserver/?a=b.jsp
>
> This is treated as a request for "/", with parameters ( that are
> ignored since it's a static page ). Hmm, it should return a redirect or
> index.html if exists.
>
> Tomcat standalone is ok, it responds 404 ( and it does so because it
> corectly does a single decoding _after_ separating the URI in components,
> as required by URI spec ).
>
> For mod_jk, it's a bit tricky. I assume you configured apache to handle
> the static requests ?
>
> Can you make sure you have a index.html page ? If you see a dir listing,
> can you tell me who's generating it ( tomcat adds the version number at
> bottom )
>
> Thanks,
> Costin
>
>
>
>
> > ----- Original Message -----
> > From: <cmanolache@yahoo.com>
> > To: <tomcat-dev@jakarta.apache.org>; "Bill Barker"
> > <william.barker@wilshire.com>
> > Sent: Wednesday, August 15, 2001 11:44 AM
> > Subject: Re: [TC3.2.3][PATCH] mod_jk / mod_rewrite bug fix
> >
> >
> > > On Wed, 15 Aug 2001, Bill Barker wrote:
> > >
> > > > Personally, I agree with Justin and Costin that mod_jk should be
able to
> > use
> > > > the uri field.
> > > >
> > > > Having said that, I'd like to point out that the mod_jk.c in j-t-c
is
> > > > flat-out broken.  It doesn't handle the case where the '?' itself is
> > > > encoded.  Since this case is part of a currently popular attack on
IIS,
> > it
> > > > will show up.
> > >
> > > Interesting finding. However tomcat decoder should be able to do so -
if
> > > it doesn't we must fix it. Can you check against 3.3beta1 ?
> > >
> > > As a note, IMHO it is perfectly legal to have an encoded '?' in the
URI,
> > > and the behavior should be: the '?' will be decoded _after_ the URI is
> > > separated from query string, and it's used as part of the file name.
> > >
> > > AFAIK there is no reason a file ( or pathInfo ) can't have the '?'
char
> > > inside, and the URI spec allow that.
> > >
> > > ( of course, paranoia may force us to remove this kind of behavior ).
> > >
> > > Costin
> > >
> > >
> > >
> > >
> >
>
>


Mime
View raw message