Well, this is a bit off topic, since I had meant (and still mean) this as a tentative bug report of a problem with mod_jk (am I the only one who sees this issue?), but commonly packaged applications assume you can serve non-java content (styles, .js files, etc) from the same tree you serve your java stuff, or at least this has been my experience.
Your "best practice" makes sense to me, but it means either that you have to restructure every such packaged app, or you have to have tomcat serve all static files, bypassing a big reason why most people (I assume) are using apache to front tomcat. Maybe I'm missing something, it wouldn't be the first time... George -----Original Message----- From: Mark Thomas [mailto:ma...@apache.org] Sent: Tuesday, December 16, 2008 4:42 PM To: Tomcat Users List Subject: Re: Serious security problem with mod_jk? Payne, George (ghp5h) wrote: > This is a problem I've seen reported on very old versions of mod_jk, but it > seems (apparently) to have a new life in 1.2.27 and possibly other recent > versions. > > > > If a user puts a double slash (http://mysite.com//myapp/myjsp.jsp) instead > of a single slash in a url, apache does not recognize it as part of a normal > pattern (eg JkMount /myapp/*.jsp) to be forwarded to tomcat and displays it > as html/text instead of as a jsp, revealing the source. Which is just one of the many reasons why it is a bad idea to overlap httpd's docRoot and Tomcat's docBase. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
