On Thu, 27 Jun 2003 [EMAIL PROTECTED] wrote: > billbarker 2003/06/26 19:54:18 > > Modified: jk/native/common jk_uri_worker_map.c jk_uri_worker_map.h > Log: > Fix problem with URLs that contain "//". > > This is essentially what Apache/httpd does in location_walk.
Make sure you realize that, especially on windows, this is unlikely to be sufficient to fix this class of problems unless there is other code somewhere that I didn't see when I checked. What happens, for example, if you have a directory /directory/ that also has a 8.3 name direct~1 and access the direct~1 form of the name? What prevents the rule mapping /directory/*.jsp to tomcat from being bypassed? This is one of the reasons why the Apache documentation tells you never to use a Location section to protect or control access to the filesystem, but instead to use a Directory section. Due to filename variance there are many different filenames, and hence URLs, that can be used to access the same actual file bypassing the protection (in this case mapping). This requires the filename be canonicalized for comparisons, which is partly done in directory_walk() in Apache. Certainly, doing this right is complex. But that is one of the exact reasons I run Apache in front of Tomcat and why I want Tomcat and the connectors to it to have the smallest possible duplicate codepath. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
