I am looking at: http://svn.apache.org/repos/asf/tomcat/connectors/tags/jk1.2.x/JK_1_2_16/jk/native/netscape/jk_nsapi_plugin.c
I do not see any code blocks specifically checking for and rejecting requests to WEB-INF/* or META-INF/*. This seems different in design from the Apache or IIS filters - for example: Apache 2.0 - mod_jk.c:2575 IIS - jk_isapi_plugin.c:869 Does this represent a security flaw or a bug? In the mean time I have configured iplanet to reject requests to WEB-INF: PathCheck fn="deny-existence" path="*/WEB-INF/*" --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
