Rémy Maucherat wrote:
On Fri, Apr 11, 2008 at 1:58 AM, Rainer Jung <[EMAIL PROTECTED]> wrote:
Rémy,
I know that we cleaned reencoding of forwarded URLs up in the context of
the CVE and mod_jk. The semicolon wasn't involved in the CVE though and at
that time it would have been easier, if the AJP connectors had resolved
%3Bjsessionid (because then we wouldn't have needed a new JK forward
option).
%3Bjsessionid is not a session id. JK should not be passing a decoded
URL, and that's pretty much the end of the story.
Agreed -- but that draws me back to the need for an option (or default
behavior!) in mod_proxy_ajp wherein the URL passed to via AJP is not
decoded.
--
Jess Holle
