Return-Path: Delivered-To: apmail-jakarta-tomcat-dev-archive@jakarta.apache.org Received: (qmail 52583 invoked by uid 500); 15 Aug 2001 20:15:59 -0000 Mailing-List: contact tomcat-dev-help@jakarta.apache.org; run by ezmlm Precedence: bulk list-help: list-unsubscribe: list-post: Reply-To: tomcat-dev@jakarta.apache.org Delivered-To: mailing list tomcat-dev@jakarta.apache.org Received: (qmail 52571 invoked from network); 15 Aug 2001 20:15:58 -0000 Message-ID: <01ea01c125c2$fc4cf6b0$5a66a8c0@wilshire.com> Reply-To: "Bill Barker" From: "Bill Barker" To: Cc: References: Subject: Re: [TC3.2.3][PATCH] mod_jk / mod_rewrite bug fix Date: Wed, 15 Aug 2001 12:46:32 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.3018.1300 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.3018.1300 X-Archived: msg.XXy5oqKa@sneezy X-Spam-Rating: h31.sny.collab.net 1.6.2 0/1000/N Actually, I have an "index.jsp" file. According to the logs (I haven't turned up the logging level yet, so the information in mininal), I get: Ctx() : Compiling: /?A=B.jsp to _0003fA_0003dB_0 The corresponding .java file just prints static HTML with a

/path/to/ROOT

followed by lines like:

index.jsp
----- Original Message ----- From: To: "Bill Barker" Sent: Wednesday, August 15, 2001 12:59 PM Subject: Re: [TC3.2.3][PATCH] mod_jk / mod_rewrite bug fix > On Wed, 15 Aug 2001, Bill Barker wrote: > > > It is actually worse than that. TC3.3B1 (with the mod_jk that it ships > > with, I haven't tried j-t-c yet) gives a directory listing in response to: > > http://myserver/%3f%41%3d%42.jsp > > If I translate this corectly, your request is > http://myserver/?a=b.jsp > > This is treated as a request for "/", with parameters ( that are > ignored since it's a static page ). Hmm, it should return a redirect or > index.html if exists. > > Tomcat standalone is ok, it responds 404 ( and it does so because it > corectly does a single decoding _after_ separating the URI in components, > as required by URI spec ). > > For mod_jk, it's a bit tricky. I assume you configured apache to handle > the static requests ? > > Can you make sure you have a index.html page ? If you see a dir listing, > can you tell me who's generating it ( tomcat adds the version number at > bottom ) > > Thanks, > Costin > > > > > > ----- Original Message ----- > > From: > > To: ; "Bill Barker" > > > > Sent: Wednesday, August 15, 2001 11:44 AM > > Subject: Re: [TC3.2.3][PATCH] mod_jk / mod_rewrite bug fix > > > > > > > On Wed, 15 Aug 2001, Bill Barker wrote: > > > > > > > Personally, I agree with Justin and Costin that mod_jk should be able to > > use > > > > the uri field. > > > > > > > > Having said that, I'd like to point out that the mod_jk.c in j-t-c is > > > > flat-out broken. It doesn't handle the case where the '?' itself is > > > > encoded. Since this case is part of a currently popular attack on IIS, > > it > > > > will show up. > > > > > > Interesting finding. However tomcat decoder should be able to do so - if > > > it doesn't we must fix it. Can you check against 3.3beta1 ? > > > > > > As a note, IMHO it is perfectly legal to have an encoded '?' in the URI, > > > and the behavior should be: the '?' will be decoded _after_ the URI is > > > separated from query string, and it's used as part of the file name. > > > > > > AFAIK there is no reason a file ( or pathInfo ) can't have the '?' char > > > inside, and the URI spec allow that. > > > > > > ( of course, paranoia may force us to remove this kind of behavior ). > > > > > > Costin > > > > > > > > > > > > > > > >