tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Slemko <ma...@znep.com>
Subject Re: cvs commit: jakarta-tomcat-connectors/jk/native/common jk_uri_worker_map.c jk_uri_worker_map.h
Date Fri, 27 Jun 2003 15:57:51 GMT
On Thu, 27 Jun 2003 billbarker@apache.org wrote:

> billbarker    2003/06/26 19:54:18
>
>   Modified:    jk/native/common jk_uri_worker_map.c jk_uri_worker_map.h
>   Log:
>   Fix problem with URLs that contain "//".
>
>   This is essentially what Apache/httpd does in location_walk.

Make sure you realize that, especially on windows, this is unlikely to
be sufficient to fix this class of problems unless there is other code
somewhere that I didn't see when I checked.

What happens, for example, if you have a directory /directory/ that
also has a 8.3 name direct~1 and access the direct~1 form of the name?
What prevents the rule mapping /directory/*.jsp to tomcat from being
bypassed?

This is one of the reasons why the Apache documentation tells you
never to use a Location section to protect or control access to
the filesystem, but instead to use a Directory section.  Due to filename
variance there are many different filenames, and hence URLs, that
can be used to access the same actual file bypassing the protection
(in this case mapping).  This requires the filename be canonicalized
for comparisons, which is partly done in directory_walk() in Apache.

Certainly, doing this right is complex.  But that is one of the
exact reasons I run Apache in front of Tomcat and why I want Tomcat
and the connectors to it to have the smallest possible duplicate
codepath.

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org


Mime
View raw message