tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bojan Smojver <bo...@rexursive.com>
Subject RE: cvs commit: jakarta-tomcat-connectors/jk/native2/server/apache2 mod_jk2.c
Date Sun, 21 Jul 2002 05:55:16 GMT
On Sun, 2002-07-21 at 03:09, Mladen Turk wrote:
> That wouldn't work!

Actually it doesn't for aliases, as tested by Mark. That's what's
missing from the translate phase.

> I'm all together very unsure whether we are doing the right thing.
> What would be the purpose of the some default file for a directory that
> is inside the apache's directory tree?

TC and Apache directory tree can be one and the same. That works quite
well (DirectoryIndex, that is) with Apache 1.3.x and mod_jk 1.x. At
least that's how I build and deploy my sites.

> The purpose of the rewrite hooks is IMO to enable the apache to see TC's
> directory tree as something of its own.
> Doing hacks like that makes a lots of space for various attacks, and I
> think we should reject to serve the requests that doesn't belog to the
> TC's tree.

In that case the existing behaviour of mod_jk 1.x with Apache 1.3.x has
to be rewritten to not allow that. Security is always priority number
one and if there is real danger that this can cause any problems, then
it was definitely a bad idea in the first place.

I'm not all that familiar with what such scenarios would be, maybe
something related to files that might contain secrets (e.g. something in
WEB-INF) or maybe related to encoding/decoding. A few examples wouldn't
hurt...

> For a default directory index we should use the TC not Apache, or we'll
> never end that story.

I'm sure that would confuse a few people, but if that's The Right Way
(TM), then, I guess, it has to be like that.

> Perhaps I'm wrong and would like to hear some good explanation for the
> purpose of that (I mean DirectoryIndex), and  why we need the Apache's
> mod_dir to do that.

It makes it much simpler to maintain a site with one set of directories.
It is then up to mod_dir to pick the actual index file. If the index
file is one of TC served files (e.g. index.jsp, index.vm), then TC gets
the request. Otherwise, Apache just does its thing.

It also makes things consistent with other technologies, like PHP, where
DirectoryIndex does work.

> So I'm -0 on that subject, and would like to see the things like that
> have been before attempting to use DirectoryIndex to serve the things
> that TC should serve and decide about.

OK. I'll leave it up to you to revert the fix. We need to tell people
that the behaviour has been changed between Apache 1.3.x and 2.x and
their relevant mod_jk versions and that DirectoryIndex won't work.

Unless, of course, someone has a better idea that keeps the Apache 1.3.x
behaviour and does it in a safe manner.

Bojan


--
To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>


Mime
View raw message