Rainer Jung wrote:
On 21.03.2009 13:23, Mladen Turk wrote:
Rainer Jung wrote:
I added a comment with a non spec compliant workaround to BZ41263.
We'll seee, whether we can make the AJP Tomcat connectors "hack
aware", i.e. allow them to get the remotePort from the REMOTE_PORT env
var when set.
Only if you make sure that the REMOTE_PORT is always mod_jk/tomcat
private. Any REMOTE_PORT in the incoming request must be rewritten.
... and there is a backward compatibility problem if you use new
tomcat with old mod_jk. This would be security risk in that case.
Someone could easily set that value to anything and tomcat would
think it came from mod_jk. Very bad :)
Sure? How could a remote user influence the *request attribute*
REMOTE_PORT respectively the httpd environment variable REMOTE_PORT?
Only a web server administrator can. It's not an http header or URL
query parameter. Do I miss something?
I should read the entire logic before posting.
I missed it's an env var.
Sorry for the noise ;)
Regards
--
^(TM)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
