What the status of that one about a week later ?
I recall the discussions some months ago about replacing
the previous uri with unparsed_uri.
Did we have a way to determine that the uri came from
mod_rewrite and not from client (via the notes).
In that case what about using r->uri instead of r->unparsed_uri ?
-
Henri Gomez ___[_]____
EMAIL : [EMAIL PROTECTED] (. .)
PGP KEY : 697ECEDD ...oOOo..(_)..oOOo...
PGP Fingerprint : 9DF8 1EA8 ED53 2F39 DC9B 904A 364F 80E6
>-----Original Message-----
>From: Bill Barker [mailto:[EMAIL PROTECTED]]
>Sent: Wednesday, August 15, 2001 9:51 PM
>To: [EMAIL PROTECTED]
>Subject: Re: [TC3.2.3][PATCH] mod_jk / mod_rewrite bug fix
>
>
>1.3.17 (with negotiation_module removed to prevent that problem).
>----- Original Message -----
>From: <[EMAIL PROTECTED]>
>To: "Bill Barker" <[EMAIL PROTECTED]>
>Cc: <[EMAIL PROTECTED]>
>Sent: Wednesday, August 15, 2001 1:01 PM
>Subject: Re: [TC3.2.3][PATCH] mod_jk / mod_rewrite bug fix
>
>
>> Apache2.0 + mod_jk + JNI + tc3.3 gives me the correct answer,
>> 404 ( with the correct URI - /?A=B.jsp ). Note that typing
>> the unencoded version is returning the correct answer too, i.e.
>> index.html.
>>
>> What version of apache are you using ?
>>
>> Costin
>>
>>
>>
>> On Wed, 15 Aug 2001, Bill Barker wrote:
>>
>> > It is actually worse than that. TC3.3B1 (with the mod_jk
>that it ships
>> > with, I haven't tried j-t-c yet) gives a directory listing
>in response
>to:
>> > http://myserver/%3f%41%3d%42.jsp
>> > ----- Original Message -----
>> > From: <[EMAIL PROTECTED]>
>> > To: <[EMAIL PROTECTED]>; "Bill Barker"
>> > <[EMAIL PROTECTED]>
>> > Sent: Wednesday, August 15, 2001 11:44 AM
>> > Subject: Re: [TC3.2.3][PATCH] mod_jk / mod_rewrite bug fix
>> >
>> >
>> > > On Wed, 15 Aug 2001, Bill Barker wrote:
>> > >
>> > > > Personally, I agree with Justin and Costin that mod_jk
>should be
>able to
>> > use
>> > > > the uri field.
>> > > >
>> > > > Having said that, I'd like to point out that the
>mod_jk.c in j-t-c
>is
>> > > > flat-out broken. It doesn't handle the case where the
>'?' itself is
>> > > > encoded. Since this case is part of a currently
>popular attack on
>IIS,
>> > it
>> > > > will show up.
>> > >
>> > > Interesting finding. However tomcat decoder should be
>able to do so -
>if
>> > > it doesn't we must fix it. Can you check against 3.3beta1 ?
>> > >
>> > > As a note, IMHO it is perfectly legal to have an encoded
>'?' in the
>URI,
>> > > and the behavior should be: the '?' will be decoded
>_after_ the URI is
>> > > separated from query string, and it's used as part of
>the file name.
>> > >
>> > > AFAIK there is no reason a file ( or pathInfo ) can't
>have the '?'
>char
>> > > inside, and the URI spec allow that.
>> > >
>> > > ( of course, paranoia may force us to remove this kind
>of behavior ).
>> > >
>> > > Costin
>> > >
>> > >
>> > >
>> > >
>> >
>>
>>
>>
>
