tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Henk Fictorie <henk.ficto...@kpn.com>
Subject Re: mod_jk 1.2.27 and an empty POST
Date Mon, 01 Dec 2008 11:50:26 GMT



Mladen Turk-3 wrote:
> 
> Henk Fictorie wrote:
>> Hi,
>> 
>> I think that I've been bitten by a resolved bug in mod_jk 1.2.27. The
>> changelog is describing this as:
>> 
>> AJP13: Always send initial POST packet even if the client disconnected
>> after
>> sending request but before providing POST data. In that case or in case
>> the
>> client broke the connection in a middle of read send an zero size packet
>> informing container about broken client connection. (mturk) 
>> 
>>
> 
> Your SSO will have to remember the POST data
> or use the GET for that. In all other cases this
> is security risk of hi-jacking the sessions.
> 
> Regards
> 

I know, this issue will probably end with a service request to Oracle to
solve this bug.
Somewhere between mod_jk 1.2.21 and 1.2.27 the behaviour is changed. It now
signals this as an error instead of leaving this up to tomcat. This is very
reasonable, but it leaves us with an upgrade challenge :-(

regards Henk Fictorie

-- 
View this message in context: http://www.nabble.com/mod_jk-1.2.27-and-an-empty-POST-tp20699972p20770506.html
Sent from the Tomcat - User mailing list archive at Nabble.com.


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message