tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject DO NOT REPLY [Bug 51769] False positive: Somebody try to hack into the site!!!
Date Tue, 06 Sep 2011 20:17:01 GMT

--- Comment #1 from Christopher Schultz <> 2011-09-06 20:17:01
UTC ---
Looks like jk_isapi_plugin.c::uri_is_web_inf is a little too liberal with it's

static int uri_is_web_inf(const char *uri)
    if (stristr(uri, "/web-inf")) {
        return JK_TRUE;
    if (stristr(uri, "/meta-inf")) {
        return JK_TRUE;

    return JK_FALSE;

Might make sense to check to see if the uri either ends with either of those
two strings or explicitly has a "/" after either of them.

Obviously, requesting "/anything/meta-info-for-my-application" would cause a
failure, here.

I can confirm that mod_jk does not enforce such checks, because without
<Location>Allow/Deny</Location>, httpd will serve content out of WEB-INF and
META-INF directories if an Alias is set up to point to the deployment

Configure bugmail:
------- You are receiving this mail because: -------
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message