tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rainer Jung <rainer.j...@kippdata.de>
Subject Re: Paths containing %2F instead of /
Date Fri, 02 Nov 2007 18:52:40 GMT
Very partial answer: for the apache part see

http://httpd.apache.org/docs/2.2/mod/core.html#allowencodedslashes

By default apache httpd does not allow those requests, and denies them
even before passing over to mod_jk. If allowed, it doesn't decode them.

If you enable them in Apache and want to check, which URL we pass
forward to Tomcat, set JkLogLevel debug and search for "Service". There
is a log line, which gives the URL in exactly the encoding in which
mod_jk forwards it to the backend.

Regards,

Rainer

Christopher Schultz schrieb:
> All,
> 
> One of the unit tests is failing in the securityfilter project which
> uses Tomcat (5.5) and httpunit for the tests themselves.
> 
> Basically, a test written a loooong time ago seems to be failing after
> the fix for a bug which involves decoding of %2F in a URL into a '/'.
> 
> Either through mod_jk or directly to Tomcat's HTTP connector, now, any
> request that has a / replaced with a %2F will not work. I'm pretty sure
> this was a security fix.
> 
> I was wondering if anyone could explain what the initial problem was,
> why this was "fixed" and if it makes any sense for me to try to fix this
> test in any meaningful way, or if it should be simply removed.
> 
> (And yes, I have read this:
> http://tomcat.apache.org/security-5.html#Fixed in Apache Tomcat 5.5.22,
> 5.0.SVN. I still don't get it... shouldn't it work properly when using
> the HTTP connector?)
> 
> Thanks,
> -chris

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message