Rainer Jung wrote:
Mladen Turk wrote:
You got me wrong. I suggest we decode the encoded uri, do mapping,
remove ;jsessionid=xxx and send that to the Tomcat.
This way tomcat won't have double encoding issue.
And it's completely legitimate if we comply to the RFC.
This would also solve malicious mapping attempts like /app1/../app2
before they even hit tomcat.
It would not help. Tomcat *does* another decoding in the connector!
Look, what I'm saying is that we should simplify all the JkOptions
ForwardURI* . IMHO they all originate from the fact that uri in the Apache
can come from multiple pre-processing stages that modify the original
URI. The solution is very simple but it would require that we write
the URI decoder. When the uri comes to the mod_jk before doing any mapping
or anything else we should decode that uri and then use it,
and send that uri to the Tomcat (the one we rewrote).
Regards,
Mladen.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
