https://bz.apache.org/bugzilla/show_bug.cgi?id=62459
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |WONTFIX
Status|NEW |RESOLVED
--- Comment #7 from Mark Thomas <ma...@apache.org> ---
The proposed patch enables a directory traversal vulnerability with the default
configuration. Therefore, it can't be applied in its current form.
Even if the patch's behaviour is restricted to only be enabled with:
AllowEncodedSlashes NoDecode
mod_jk needs to differentiate between %252F and %2F in the original URI to
correctly re-encode the processed (mod_rewrite etc.) URI which it is not going
to be able to do in all circumstances. The problem is that both "%252F and
"%2F" are identical in decoded form if "%2F" is not decoded and there is no way
to tell them apart.
The only viable option is to use:
JkOptions +ForwardURICompatUnparsed
which has the significant disadvantage that mod_rewrite etc. cannot be used.
Unfortunately, I don't see any other alternatives at this point.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
