On Wed, 15 Aug 2001, Bill Barker wrote:
> It is actually worse than that. TC3.3B1 (with the mod_jk that it ships
> with, I haven't tried j-t-c yet) gives a directory listing in response to:
> http://myserver/%3f%41%3d%42.jsp
If I translate this corectly, your request is
http://myserver/?a=b.jsp
This is treated as a request for "/", with parameters ( that are
ignored since it's a static page ). Hmm, it should return a redirect or
index.html if exists.
Tomcat standalone is ok, it responds 404 ( and it does so because it
corectly does a single decoding _after_ separating the URI in components,
as required by URI spec ).
For mod_jk, it's a bit tricky. I assume you configured apache to handle
the static requests ?
Can you make sure you have a index.html page ? If you see a dir listing,
can you tell me who's generating it ( tomcat adds the version number at
bottom )
Thanks,
Costin
> ----- Original Message -----
> From: <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>; "Bill Barker"
> <[EMAIL PROTECTED]>
> Sent: Wednesday, August 15, 2001 11:44 AM
> Subject: Re: [TC3.2.3][PATCH] mod_jk / mod_rewrite bug fix
>
>
> > On Wed, 15 Aug 2001, Bill Barker wrote:
> >
> > > Personally, I agree with Justin and Costin that mod_jk should be able to
> use
> > > the uri field.
> > >
> > > Having said that, I'd like to point out that the mod_jk.c in j-t-c is
> > > flat-out broken. It doesn't handle the case where the '?' itself is
> > > encoded. Since this case is part of a currently popular attack on IIS,
> it
> > > will show up.
> >
> > Interesting finding. However tomcat decoder should be able to do so - if
> > it doesn't we must fix it. Can you check against 3.3beta1 ?
> >
> > As a note, IMHO it is perfectly legal to have an encoded '?' in the URI,
> > and the behavior should be: the '?' will be decoded _after_ the URI is
> > separated from query string, and it's used as part of the file name.
> >
> > AFAIK there is no reason a file ( or pathInfo ) can't have the '?' char
> > inside, and the URI spec allow that.
> >
> > ( of course, paranoia may force us to remove this kind of behavior ).
> >
> > Costin
> >
> >
> >
> >
>
