https://issues.apache.org/bugzilla/show_bug.cgi?id=51132
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |INVALID
--- Comment #1 from Mark Thomas <ma...@apache.org> 2011-04-30 19:00:30 UTC ---
This took a little digging and some discussion with some httpd folks who are
more familiar with the specs that I am but the conclusion is that Tomcat's
behaviour is correct.
rfc3986 defines dot segments as exactly ".." or ".". This means "..;" is not a
dot segment. Further rfc3986 states that interpretation of path parameters is
an application concern. Therefore, nginx is correctly normalising when ".." is
present and correctly forwarding "..;" to the application.
rfc2616 does not add anything in this case beyond what is in rfc3986.
The Servlet specification states that path parameters are ignored when mapping
requests. Therefore "..;" gets treated ".." for mapping purposes meaning
"/g/..;/examples" gets treated as "/g/../examples" for mapping which is
normalised to "/examples".
Resin's error response is not specification compliant.
Tomcat is correctly serving the examples context in this case.
This issue is a good example of why relying solely on the mappings of a reverse
proxy to deny access to a particular context is likely to be insecure. Due to
the impossibility to guarantee that all URLs are handled by Tomcat as they are
in proxy servers, Tomcat should always be secured as if no proxy restricting
context access was used.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
