tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 51769] False positive: Somebody try to hack into the site!!!
Date Tue, 06 Sep 2011 20:17:01 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=51769

--- Comment #1 from Christopher Schultz <chris@christopherschultz.net> 2011-09-06 20:17:01
UTC ---
Looks like jk_isapi_plugin.c::uri_is_web_inf is a little too liberal with it's
check:

static int uri_is_web_inf(const char *uri)
{
    if (stristr(uri, "/web-inf")) {
        return JK_TRUE;
    }
    if (stristr(uri, "/meta-inf")) {
        return JK_TRUE;
    }

    return JK_FALSE;
}

Might make sense to check to see if the uri either ends with either of those
two strings or explicitly has a "/" after either of them.

Obviously, requesting "/anything/meta-info-for-my-application" would cause a
failure, here.

I can confirm that mod_jk does not enforce such checks, because without
<Location>Allow/Deny</Location>, httpd will serve content out of WEB-INF and
META-INF directories if an Alias is set up to point to the deployment
directory.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message