tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bill Barker" <wbar...@wilshire.com>
Subject Re: cvs commit: jakarta-tomcat-connectors/jk/native/common jk_uri_worker_map.c
Date Fri, 17 Dec 2004 19:04:10 GMT

----- Original Message -----
From: "Mladen Turk" <mturk@apache.org>
To: "Tomcat Developers List" <tomcat-dev@jakarta.apache.org>
Sent: Friday, December 17, 2004 9:34 AM
Subject: Re: cvs commit: jakarta-tomcat-connectors/jk/native/common
jk_uri_worker_map.c


> Bill Barker wrote:
> >>
> >> No, it's not related to IIS at all.
> >>
> >
> > Of course it is related to IIS, since IIS is the only one that (wrongly)
> > doesn't pass a copy of the URI to map_uri_to_worker
> >
>
> OK. Seems that you catch me on that :).
>
> But since the request is supposed to be atomic why to strdup an uri?
> I'd rather remove
> char *uri = apr_pstrdup(r->pool, r->uri);
> before calling map_uri_to_worker then adding strdup to IIS.
>

It was done to fix a '//' bypass traversal bug (e.g.
http://myserver/myapp//foo.jsp would serve the source of the JSP).
map_uri_to_worker calls jk_no2slash, which modifies the URI in ways that are
hard to undo.  The reason that the call is done outside of map_uri_to_worker
is simply that apr_pstrdup is better than jk_pool_strdup.  Otherwise, it's
trying to be like location_walk in Apache.

In the case of IIS, something like:
  char temp_uri[INTERNET_MAX_URL_LENGTH];
  strcpy(temp_uri, uri);
  worker = map_uri_to_worker(uw_map, temp_uri, logger);

is probably no worse than the rest of the code :).  However, I kept breaking
IIS whenever I tried to change things in it, so I just gave up at some
point.

>
> Regards,
> Mladen.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
>



This message is intended only for the use of the person(s) listed above as the intended recipient(s),
and may contain information that is PRIVILEGED and CONFIDENTIAL.  If you are not an intended
recipient, you may not read, copy, or distribute this message or any attachment. If you received
this communication in error, please notify us immediately by e-mail and then delete all copies
of this message and any attachments.

In addition you should be aware that ordinary (unencrypted) e-mail sent through the Internet
is not secure. Do not send confidential or sensitive information, such as social security
numbers, account numbers, personal identification numbers and passwords, to us via ordinary
(unencrypted) e-mail.



Mime
View raw message