tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ignacio J. Ortega" <>
Subject RE: cvs commit: jakarta-tomcat-connectors/jk/native2/server/isapi jk_isapi_plugin.c
Date Thu, 06 Feb 2003 09:51:05 GMT

> Thanks.  The restored mod_jk behavior is the same as
> Tomcat 3.3.x with <DecodeInterceptor ... safe="true"/>,
> the default.  Unsafe escapes give 403's.  We can
> add a similar option to mod_jk to turn off the checking.
> Though, I can't image a situation where it would make
> sense to accept the risks to gain access to these escapes.  

The problem is that i_r2.dll is spitting 403 on any URL that contains
%2F, remeber fuilter do see ALL the request that pass for the IIS
server, we are rejecting URL NOT for tomcat, like in /test%2Ftest.asp,
this is the wrong behaviour the user seeing, and i think it's a little
agressive, dont you? so this needs to be solved..

Ignacio J. Ortega 

View raw message