Return-Path: Delivered-To: apmail-tomcat-dev-archive@www.apache.org Received: (qmail 9912 invoked from network); 5 Jun 2007 04:39:05 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 5 Jun 2007 04:39:05 -0000 Received: (qmail 45998 invoked by uid 500); 5 Jun 2007 04:39:04 -0000 Delivered-To: apmail-tomcat-dev-archive@tomcat.apache.org Received: (qmail 45948 invoked by uid 500); 5 Jun 2007 04:39:03 -0000 Mailing-List: contact dev-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Developers List" Delivered-To: mailing list dev@tomcat.apache.org Received: (qmail 45934 invoked by uid 99); 5 Jun 2007 04:39:03 -0000 Received: from herse.apache.org (HELO herse.apache.org) (140.211.11.133) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 04 Jun 2007 21:39:03 -0700 X-ASF-Spam-Status: No, hits=0.0 required=10.0 tests= X-Spam-Check-By: apache.org Received-SPF: neutral (herse.apache.org: local policy) Received: from [207.113.241.148] (HELO iss04.interliant.com) (207.113.241.148) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 04 Jun 2007 21:38:58 -0700 Received: from EX-009.mail.navisite.com (ex-009.interliant.com [207.113.240.184]) by iss04.interliant.com (8.10.2/8.10.2) with ESMTP id l554ca520693 for ; Mon, 4 Jun 2007 23:38:37 -0500 (CDT) Received: from [192.168.0.168] ([89.164.0.230]) by EX-009.mail.navisite.com with Microsoft SMTPSVC(6.0.3790.1830); Mon, 4 Jun 2007 23:38:33 -0500 Message-ID: <4664E8C9.5080109@apache.org> Date: Tue, 05 Jun 2007 06:38:33 +0200 From: Mladen Turk User-Agent: Mozilla MIME-Version: 1.0 To: Tomcat Developers List Subject: Re: svn commit: r544137 - /tomcat/connectors/trunk/jk/native/common/jk_uri_worker_map.c References: <20070604120834.0430D1A981D@eris.apache.org> <466461E2.8090504@rowe-clan.net> In-Reply-To: <466461E2.8090504@rowe-clan.net> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 05 Jun 2007 04:38:33.0710 (UTC) FILETIME=[5FDD00E0:01C7A72B] X-Virus-Checked: Checked by ClamAV on apache.org William A. Rowe, Jr. wrote: > mturk@apache.org wrote: >> Author: mturk >> Date: Mon Jun 4 05:08:33 2007 >> New Revision: 544137 >> >> URL: http://svn.apache.org/viewvc?view=rev&rev=544137 >> Log: >> Add simple URI normalizer that can deal with things like %252e%252e. This is mostly copy/paste from the IIS module > > You have me way confused ;-) > Right. I confused many. Just look at the thread about the subject. Almost nobody understood what was I talking about. > The uri you are processing in the httpd connector has already been unfolded. > So your desire is to double-unfold the uri? No. Nothing is neither unfolded nor double unfolded. This is internal for map_uri_to_worker. How it works: Imagine you have two applications on Tomcat appA and appB, and you wish *only* to expose the appA via JkMount /appA/* worker Request: http://host/appA/%252e%252e/appB/ mod_jk 1.2.22 (with default passing r->uri) will serve /appB/ mod_jk 1.2.23 (with default passing r->unparsed_uri) will return 404 from Tomcat becasue it will pass the original uri, not the one Httpd already unfolded) mod_jk 1.2.24 will return 404 from Httpd because there is no JkMount /appB/* > This has some very ugly side > effects for legitimately escaped paths, and if it is a security precaution, > don't you just leave yet-a-new-hole for triply-folded uris? > Again, no. It doesn't touch the original uri. Request for http://host/appA/%252e%252e/appB/ will be unfolded by httpd to http://host/appA/%2e%2e/appB/ before it hits mod_jk. Inside map_uri_to_worker it will be unescped (locally) to /appA/../appB/ and the normalized to /appB/ and then it looks for mounted path. In case one have JkMount /* or JkMount /appB/*, the original uri host/appA/%2e%2e/appB/ will be passed to Tomcat. Regards, Mladen. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org For additional commands, e-mail: dev-help@tomcat.apache.org