tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rainer Jung <rainer.j...@kippdata.de>
Subject Re: Removing check for WEB-INF and META-INF from JK ISAPI redirector
Date Tue, 21 Aug 2018 12:53:24 GMT
Am 21.08.2018 um 14:05 schrieb Mark Thomas:
> Hi,
> 
> I've been looking into [1] which is - essentially - that a request for
> 
> http://<hostname>/examples/servlets/servlet/RequestInfoExample/WEB-INF
> 
> will fail when it should be allowed.
> 
> Currently the JK ISAPI redirector rejects any request with a path
> segment that is WEB-INF or META-INF irrespective of case.
> 
> I'd like to propose removing this check. My reasons are:
> 
> - It is unnecessary. Tomcat will reject all attempts to directly access
>    the contents of WEB-INF or META-INF
> 
> - It triggers false positives as IIS can't tell which part of a URI is
>    the context path. For example, "/foo/bar/META-INF" is legal in the
>    ROOT context but illegal if the context path is /foo/bar
> 
> - No such restriction exists for httpd (there is a restriction when
>    JkAutoAlias is used but that looks correct to me)
> 
> Mark
> 
> 
> [1] https://bz.apache.org/bugzilla/show_bug.cgi?id=60745

Not knowing enough about IIS, the check is old (at least version 1.2.0 
and also existed in jk2. In jk2 there was a comment "XXX Make it a 
default checking in uri worker map" indicating, that it was originally 
meant to be used not only for IIS.

All in all I agree, that the check must exist in the AJP back end (such 
as Tomcat). I don't know, how e.g. Jetty behaves but since mod_jk 
doesn't have the check either, I do not expect a problem removing it 
(and documenting the removal).

Thanks for raising this,

Rainer


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message