tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <>
Subject Re: svn commit: r544137 - /tomcat/connectors/trunk/jk/native/common/jk_uri_worker_map.c
Date Thu, 07 Jun 2007 03:02:55 GMT
Mladen Turk wrote:
> Mark Thomas wrote:
>>> Did I mention that uri is *not* decoded twice?
>> You did and I still don't agree. The root cause of CVE-2007-1860 was a
>> double decoding. Once in httpd/mod_jk and once in Tomcat.
> Why do you don't agree?
> Please provide a use case and confirm your statements are
> legitimate.

Note: The name of the directory has been chosen to have greatest
variation in behaviour but the general case is any resource name that
contains %nn sequences. This isn't a frequent occurrence; I have only
seen %nn in a resource name in a webdav context and then not that often.

Win XP Home SP2 + patches
Sun JDK 1.6.0_01
Tomcat 5.5.x built from svn r545026
mod_jk 1.2.x built from svn r545026 with Visual Studio 6 SP6
mod_jk 1.2.23 downloaded from mirrors
mod_jk 1.2.22 downloaded from archive
httpd 2.2.4 downloaded from mirrors

All software installed on a single machine.

Tomcat defaults

Single ajp13 worker

jkMount  /jsp-examples/* worker1

A simple 'hello world' html file was created at (directories created
where required):

Test 1: Tomcat only
This correctly showed the index.html I created above.

Test 2: httpd + mod_jk 1.2.22 + Tomcat
This displayed the index.html from the /servlets-examples context.
This is security issue CVE-2007-1860.

Test 3: httpd + mod_jk 1.2.23 + Tomcat
This correctly showed the index.html I created above. The issue here
is that any url manipulation (eg mod-rewrite) is bypassed.

Test 4: httpd + mod_jk svn r545026 + Tomcat
404 is returned. This is incorrectly blocking access to the resource.

My expectation is that:
A) A request for
returns the correct file for Tomcat standalone and httpd + mod_jk + Tomcat
B) No security issues
C) The full features of httpd (mod_rewrite etc) are available when
using mod_jk

Given that B) is a must, does this make A and C mutually exclusive? I
don't know mod_jk or httpd well enough to make such a pronouncement
but I would be surprised if one of the httpd / mod_jk guru's couldn't
find a solution that allows A, B & C.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message