Mladen Turk wrote: > Remy Maucherat wrote: >> >> Tomcat permits both '\' and '%5C' as path delimiters. When Tomcat is >> used behind a proxy (including, but not limited to, Apache HTTP server >> with mod_proxy and mod_jk) configured to only proxy some contexts, a >> HTTP request containing strings like "/\../" may allow attackers to >> work around the context restriction of the proxy, and access the >> non-proxied contexts.
You neglected to mention %2F - a significant identical issue. > But this is unlikely to happen unless you explicitly add > AllowEncodedSlashes and unless you physically put your webapps > inside ServerRoot so they can be directly access by web server > regardless of proxy used. Nope - you have one misunderstanding of AllowEncodedSlashes! On Windows, this will not happen (if the path is physical and not virtual), you are correct. On all platforms, %2F is caught and rejected by default, as well. On Unix, %5C is an opaque filename byte. E.g. /My\Cool\App/ is a one level deep filename "My\Cool\App" (escaped with shell syntax as My\\Cool\\App). On both, '\' itself unescaped is meaningless and disallowed. Just to be clear, %2F is also an opaque filename byte, that can't be represented on Unix or Windows (because it is their path seperator). But on Mac OS 9 for example, there would be nothing improper about /my%2Fdocs mapping to the file my/docs in WebServer:Documents. It most definitely NEVER means path-delimiter. So Unix couldn't care less that you are passing %5C's al la '\'s, they are opaque character bytes, per RFC 2396 (which for purposes of HTTP/1.1 is not superseded by RFC 3986, although it would be in the next draft of the HTTP spec, probably.) I've started a thread on httpd suggesting to disallow %5C the same on Unix as on Windows, or to treat it as '/' path delimiter on either, for the sake of consistency and the fact that half the world is treating %5C as a delimiter against the RFC guidelines. Bill --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
