tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rainer Jung <>
Subject Re: Paths containing %2F instead of /
Date Fri, 02 Nov 2007 18:52:40 GMT
Very partial answer: for the apache part see

By default apache httpd does not allow those requests, and denies them
even before passing over to mod_jk. If allowed, it doesn't decode them.

If you enable them in Apache and want to check, which URL we pass
forward to Tomcat, set JkLogLevel debug and search for "Service". There
is a log line, which gives the URL in exactly the encoding in which
mod_jk forwards it to the backend.



Christopher Schultz schrieb:
> All,
> One of the unit tests is failing in the securityfilter project which
> uses Tomcat (5.5) and httpunit for the tests themselves.
> Basically, a test written a loooong time ago seems to be failing after
> the fix for a bug which involves decoding of %2F in a URL into a '/'.
> Either through mod_jk or directly to Tomcat's HTTP connector, now, any
> request that has a / replaced with a %2F will not work. I'm pretty sure
> this was a security fix.
> I was wondering if anyone could explain what the initial problem was,
> why this was "fixed" and if it makes any sense for me to try to fix this
> test in any meaningful way, or if it should be simply removed.
> (And yes, I have read this:
> in Apache Tomcat 5.5.22,
> 5.0.SVN. I still don't get it... shouldn't it work properly when using
> the HTTP connector?)
> Thanks,
> -chris

To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message