https://issues.apache.org/bugzilla/show_bug.cgi?id=51769
--- Comment #1 from Christopher Schultz <ch...@christopherschultz.net>
2011-09-06 20:17:01 UTC ---
Looks like jk_isapi_plugin.c::uri_is_web_inf is a little too liberal with it's
check:
static int uri_is_web_inf(const char *uri)
{
if (stristr(uri, "/web-inf")) {
return JK_TRUE;
}
if (stristr(uri, "/meta-inf")) {
return JK_TRUE;
}
return JK_FALSE;
}
Might make sense to check to see if the uri either ends with either of those
two strings or explicitly has a "/" after either of them.
Obviously, requesting "/anything/meta-info-for-my-application" would cause a
failure, here.
I can confirm that mod_jk does not enforce such checks, because without
<Location>Allow/Deny</Location>, httpd will serve content out of WEB-INF and
META-INF directories if an Alias is set up to point to the deployment
directory.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
