tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rainer Jung <>
Subject Re: Removing check for WEB-INF and META-INF from JK ISAPI redirector
Date Tue, 21 Aug 2018 12:53:24 GMT
Am 21.08.2018 um 14:05 schrieb Mark Thomas:
> Hi,
> I've been looking into [1] which is - essentially - that a request for
> http://<hostname>/examples/servlets/servlet/RequestInfoExample/WEB-INF
> will fail when it should be allowed.
> Currently the JK ISAPI redirector rejects any request with a path
> segment that is WEB-INF or META-INF irrespective of case.
> I'd like to propose removing this check. My reasons are:
> - It is unnecessary. Tomcat will reject all attempts to directly access
>    the contents of WEB-INF or META-INF
> - It triggers false positives as IIS can't tell which part of a URI is
>    the context path. For example, "/foo/bar/META-INF" is legal in the
>    ROOT context but illegal if the context path is /foo/bar
> - No such restriction exists for httpd (there is a restriction when
>    JkAutoAlias is used but that looks correct to me)
> Mark
> [1]

Not knowing enough about IIS, the check is old (at least version 1.2.0 
and also existed in jk2. In jk2 there was a comment "XXX Make it a 
default checking in uri worker map" indicating, that it was originally 
meant to be used not only for IIS.

All in all I agree, that the check must exist in the AJP back end (such 
as Tomcat). I don't know, how e.g. Jetty behaves but since mod_jk 
doesn't have the check either, I do not expect a problem removing it 
(and documenting the removal).

Thanks for raising this,


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message