tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject Re: svn commit: r544137 - /tomcat/connectors/trunk/jk/native/common/jk_uri_worker_map.c
Date Thu, 07 Jun 2007 03:02:55 GMT
Mladen Turk wrote:
> Mark Thomas wrote:
>>
>>> Did I mention that uri is *not* decoded twice?
>>
>> You did and I still don't agree. The root cause of CVE-2007-1860 was a
>> double decoding. Once in httpd/mod_jk and once in Tomcat.
>>
> 
> Why do you don't agree?
> Please provide a use case and confirm your statements are
> legitimate.

Note: The name of the directory has been chosen to have greatest
variation in behaviour but the general case is any resource name that
contains %nn sequences. This isn't a frequent occurrence; I have only
seen %nn in a resource name in a webdav context and then not that often.

Software:
Win XP Home SP2 + patches
Sun JDK 1.6.0_01
Tomcat 5.5.x built from svn r545026
mod_jk 1.2.x built from svn r545026 with Visual Studio 6 SP6
mod_jk 1.2.23 downloaded from mirrors
mod_jk 1.2.22 downloaded from archive
httpd 2.2.4 downloaded from mirrors

All software installed on a single machine.

Configuration
Tomcat defaults

Single ajp13 worker

jkMount  /jsp-examples/* worker1

A simple 'hello world' html file was created at (directories created
where required):
<appBase>/jsp-examples/%2e%2e/servlets-examples/index.html

Test 1: Tomcat only
http://localhost:8080/jsp-examples/%252e%252e/servlets-examples/index.html
This correctly showed the index.html I created above.

Test 2: httpd + mod_jk 1.2.22 + Tomcat
http://localhost/jsp-examples/%252e%252e/servlets-examples/index.html
This displayed the index.html from the /servlets-examples context.
This is security issue CVE-2007-1860.

Test 3: httpd + mod_jk 1.2.23 + Tomcat
http://localhost/jsp-examples/%252e%225e/servlets-examples/index.html
This correctly showed the index.html I created above. The issue here
is that any url manipulation (eg mod-rewrite) is bypassed.

Test 4: httpd + mod_jk svn r545026 + Tomcat
http://localhost/jsp-examples/%252e%252e/servlets-examples/index.html
404 is returned. This is incorrectly blocking access to the resource.

My expectation is that:
A) A request for
http://host:port/jsp-examples/%252e%225e/servlets-examples/index.html
returns the correct file for Tomcat standalone and httpd + mod_jk + Tomcat
B) No security issues
C) The full features of httpd (mod_rewrite etc) are available when
using mod_jk

Given that B) is a must, does this make A and C mutually exclusive? I
don't know mod_jk or httpd well enough to make such a pronouncement
but I would be surprised if one of the httpd / mod_jk guru's couldn't
find a solution that allows A, B & C.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message