Mark Thomas wrote:
>
> Single ajp13 worker
>
> jkMount /jsp-examples/* worker1
>
> A simple 'hello world' html file was created at (directories created
> where required):
> <appBase>/jsp-examples/%2e%2e/servlets-examples/index.html
>
> Test 1: Tomcat only
> http://localhost:8080/jsp-examples/%252e%252e/servlets-examples/index.html
> This correctly showed the index.html I created above.
>
But this is oxymoron. You wish to serve the content from
servlets-examples with only jsp-examples mounted.
This is also the exact reason of CVE-2007-1860.
>
> My expectation is that:
> A) A request for
> http://host:port/jsp-examples/%252e%225e/servlets-examples/index.html
> returns the correct file for Tomcat standalone and httpd + mod_jk + Tomcat
Use 'JkMount /* worker1' if you need something like that.
The entire point of the story is that if you have *only*
JkMount /jsp-examples/* then *only* that Context is allowed to be served.
Even hitting the Tomcat (that happens with < 1.2.24) is a security break.
Regards,
Mladen.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
|