tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Larry Isaacs" <Larry.Isa...@sas.com>
Subject RE: cvs commit: jakarta-tomcat-connectors/jk/native2/server/isapi jk_isapi_plugin.c
Date Wed, 05 Feb 2003 01:17:19 GMT
Hi Nacho,

My brain is isn't firing on all cylinders at the moment,
but this makes me a little nervous.  I think some of the
problems in the past have been where malicious escaping
would prevent request from being forwarded to Tomcat, and
would be served statically.

> -----Original Message-----
> From: nacho@apache.org [mailto:nacho@apache.org] 
> Sent: Tuesday, February 04, 2003 3:46 PM
> To: jakarta-tomcat-connectors-cvs@apache.org
> Subject: cvs commit: 
> jakarta-tomcat-connectors/jk/native2/server/isapi jk_isapi_plugin.c
> 
> 
> nacho       2003/02/04 12:45:50
> 
>   Modified:    jk/native2/server/isapi jk_isapi_plugin.c
>   Log:
>   Fix for Bug#16759 ISAPI_REDIRECTOR Handles %2F improperly
>   
>   Now a uri considered not valid or bad by jk2 is passed down 
> the filter chain,
>   so letting the server continue processing, also relaxed 
> logging to info as
>   they are not errors anymore..
>   
>   Revision  Changes    Path
>   1.54      +10 -6     
> jakarta-tomcat-connectors/jk/native2/server/isapi/jk_isapi_plugin.c
>   
>   Index: jk_isapi_plugin.c
>   ===================================================================
>   RCS file: 
> /home/cvs/jakarta-tomcat-connectors/jk/native2/server/isapi/jk
> _isapi_plugin.c,v
>   retrieving revision 1.53
>   retrieving revision 1.54
>   diff -u -r1.53 -r1.54
>   --- jk_isapi_plugin.c	4 Feb 2003 07:44:23 -0000	1.53
>   +++ jk_isapi_plugin.c	4 Feb 2003 20:45:49 -0000	1.54
>   @@ -316,20 +316,24 @@
>    
>                    rc = jk_requtil_unescapeUrl(uri);
>                    if (rc == BAD_REQUEST) {
>   -                    env->l->jkLog(env, env->l,  JK_LOG_ERROR, 
>   +                    env->l->jkLog(env, env->l,  JK_LOG_INFO, 
>                               "HttpFilterProc [%s] contains 
> one or more invalid escape sequences.\n", 
>                               uri);
>   -                    write_error_response(pfc,"400 Bad 
> Request", HTML_ERROR_400);
>   +                    // XXX: Let any other filter process 
> the request, 
>   +                    //      if they take any security 
> measure or not doesnt matter.
>   +                    //  write_error_response(pfc,"400 Bad 
> Request", HTML_ERROR_400);
>                        workerEnv->globalEnv->releaseEnv( 
> workerEnv->globalEnv, env );
>   -                    return SF_STATUS_REQ_FINISHED;
>   +                    return SF_STATUS_REQ_NEXT_NOTIFICATION;
>                    }
>                    else if(rc == BAD_PATH) {
>   -                    env->l->jkLog(env, env->l,  JK_LOG_EMERG, 
>   +                    env->l->jkLog(env, env->l,  JK_LOG_INFO, 
>                               "HttpFilterProc [%s] contains 
> forbidden escape sequences.\n", 
>                               uri);
>   -                    write_error_response(pfc,"403 
> Forbidden", HTML_ERROR_403);
>   +                    // XXX: Let any other filter process 
> the request, 
>   +                    //      if they take any security 
> measure or not doesnt matter.
>   +                    //  write_error_response(pfc,"403 
> Forbidden", HTML_ERROR_403);
>                        workerEnv->globalEnv->releaseEnv( 
> workerEnv->globalEnv, env );
>   -                    return SF_STATUS_REQ_FINISHED;
>   +                    return SF_STATUS_REQ_NEXT_NOTIFICATION;
>                    }
>                    jk_requtil_getParents(uri);
>    
>   
>   
>   
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
> 
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org


Mime
View raw message