tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bill Barker" <wbar...@wilshire.com>
Subject Re: [TC3.2.3][PATCH] mod_jk / mod_rewrite bug fix
Date Wed, 15 Aug 2001 19:51:16 GMT
1.3.17 (with negotiation_module removed to prevent that problem).
----- Original Message -----
From: <cmanolache@yahoo.com>
To: "Bill Barker" <william.barker@wilshire.com>
Cc: <cmanolache@yahoo.com>
Sent: Wednesday, August 15, 2001 1:01 PM
Subject: Re: [TC3.2.3][PATCH] mod_jk / mod_rewrite bug fix


> Apache2.0 + mod_jk + JNI + tc3.3 gives me the correct answer,
> 404 ( with the correct URI - /?A=B.jsp ). Note that typing
> the unencoded version is returning the correct answer too, i.e.
> index.html.
>
> What version of apache are you using ?
>
> Costin
>
>
>
> On Wed, 15 Aug 2001, Bill Barker wrote:
>
> > It is actually worse than that.  TC3.3B1 (with the mod_jk that it ships
> > with, I haven't tried j-t-c yet) gives a directory listing in response
to:
> > http://myserver/%3f%41%3d%42.jsp
> > ----- Original Message -----
> > From: <cmanolache@yahoo.com>
> > To: <tomcat-dev@jakarta.apache.org>; "Bill Barker"
> > <william.barker@wilshire.com>
> > Sent: Wednesday, August 15, 2001 11:44 AM
> > Subject: Re: [TC3.2.3][PATCH] mod_jk / mod_rewrite bug fix
> >
> >
> > > On Wed, 15 Aug 2001, Bill Barker wrote:
> > >
> > > > Personally, I agree with Justin and Costin that mod_jk should be
able to
> > use
> > > > the uri field.
> > > >
> > > > Having said that, I'd like to point out that the mod_jk.c in j-t-c
is
> > > > flat-out broken.  It doesn't handle the case where the '?' itself is
> > > > encoded.  Since this case is part of a currently popular attack on
IIS,
> > it
> > > > will show up.
> > >
> > > Interesting finding. However tomcat decoder should be able to do so -
if
> > > it doesn't we must fix it. Can you check against 3.3beta1 ?
> > >
> > > As a note, IMHO it is perfectly legal to have an encoded '?' in the
URI,
> > > and the behavior should be: the '?' will be decoded _after_ the URI is
> > > separated from query string, and it's used as part of the file name.
> > >
> > > AFAIK there is no reason a file ( or pathInfo ) can't have the '?'
char
> > > inside, and the URI spec allow that.
> > >
> > > ( of course, paranoia may force us to remove this kind of behavior ).
> > >
> > > Costin
> > >
> > >
> > >
> > >
> >
>
>
>


Mime
View raw message