tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <>
Subject Re: svn commit: r544137 - /tomcat/connectors/trunk/jk/native/common/jk_uri_worker_map.c
Date Fri, 08 Jun 2007 23:58:39 GMT
Mladen Turk wrote:
> Mark Thomas wrot:
>> Test 1: Tomcat only
>> http://localhost:8080/jsp-examples/%252e%252e/servlets-examples/index.html
>> This correctly showed the index.html I created above.
> But this is oxymoron. You wish to serve the content from
> servlets-examples with only jsp-examples mounted.
> This is also the exact reason of CVE-2007-1860.

No I am am not. I am trying to access the resource at the physical
file location:

Note that there really is a directory with the name %2e%2e. This
content is part of the jsp-examples web application. The names of the
sub-directories are deliberately chosen to cause problems and to
illustrate my point.

Trying to access /jsp-examples/salesgrowth%2007.html (a more likely
file name in, say, a content management scenario) has similar problems.

It is expected that this will be accessible via:

Test environment as before...
Test 1: Tomcat only

Test 2: Tomcat + httpd + mod_jk 1.2.22
Fails with 404

Test 3: Tomcat + httpd + mod_jk 1.2.23

Test 4: Tomcat + httpd + mod_jk 1.2.HEAD

Hmm. This wasn't what I was expecting. However, when I use set
JkOptions     +ForwardURICompat in httpd.conf, restoring the default
as mentioned previously in this thread test 4 fails again.

In summary, I think we should be aiming for a solution that:
- doesn't have any security issues
- can serve files like salesgrowth%2007.html with the default config
- works with mod_rewrite etc

If we re-encoded the uri before sending it to Tomcat that would meet
all of the above requirements wouldn't it?

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message