tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Larry Isaacs" <Larry.Isa...@sas.com>
Subject RE: cvs commit: jakarta-tomcat-connectors/jk/native2/server/isapi jk_isapi_plugin.c
Date Thu, 06 Feb 2003 13:12:52 GMT
I'm seem to be getting into a habit of clicking "Send" instead
of "Save". :(

I think this is something that to some degree is a necessary
evil.  Hopefully I will be able to tell more when I can get
back into the code.  The trick is allowing this "okay" URL
to succeed while preventing malicious uses of "%2F" from also
succeeding.

Cheers,
Larry

> -----Original Message-----
> From: Larry Isaacs 
> Sent: Thursday, February 06, 2003 8:02 AM
> To: Tomcat Developers List
> Subject: RE: cvs commit: 
> jakarta-tomcat-connectors/jk/native2/server/isapi jk_isapi_plugin.c
> 
> 
> 
> 
> > -----Original Message-----
> > From: Ignacio J. Ortega [mailto:nacho@siapi.es] 
> > Sent: Thursday, February 06, 2003 4:51 AM
> > To: 'Tomcat Developers List'
> > Subject: RE: cvs commit: 
> > jakarta-tomcat-connectors/jk/native2/server/isapi jk_isapi_plugin.c
> > 
> > 
> > Larry,
> > 
> > > 
> > > Thanks.  The restored mod_jk behavior is the same as
> > > Tomcat 3.3.x with <DecodeInterceptor ... safe="true"/>,
> > > the default.  Unsafe escapes give 403's.  We can
> > > add a similar option to mod_jk to turn off the checking.
> > > Though, I can't image a situation where it would make
> > > sense to accept the risks to gain access to these escapes.  
> > 
> > The problem is that i_r2.dll is spitting 403 on any URL 
> that contains
> > %2F, remeber fuilter do see ALL the request that pass for the IIS
> > server, we are rejecting URL NOT for tomcat, like in 
> /test%2Ftest.asp,
> > this is the wrong behaviour the user seeing, and i think 
> it's a little
> > agressive, dont you? so this needs to be solved..
> > 
> > Saludos, 
> > Ignacio J. Ortega 
> > 
> > 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
> 
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org


Mime
View raw message