Payne, George (ghp5h) wrote: > Well, this is a bit off topic, since I had meant (and still mean) this as a > tentative bug report of a problem with mod_jk (am I the only one who sees > this issue?), Yes, it looks like you have a valid bug report here.
but commonly packaged applications assume you can serve > non-java content (styles, .js files, etc) from the same tree you serve your > java stuff, or at least this has been my experience. Lots of people doing something doesn't make it the right thing to do. > Your "best practice" makes sense to me, but it means either that you have to > restructure every such packaged app, or you have to have tomcat serve all > static files, bypassing a big reason why most people (I assume) are using > apache to front tomcat. In the past that was a good reason. These days not so much and even less if you use APR. > Maybe I'm missing something, it wouldn't be the first time... Don't think so. Mark > > George > > > > -----Original Message----- > From: Mark Thomas [mailto:ma...@apache.org] > Sent: Tuesday, December 16, 2008 4:42 PM > To: Tomcat Users List > Subject: Re: Serious security problem with mod_jk? > > Payne, George (ghp5h) wrote: >> This is a problem I've seen reported on very old versions of mod_jk, but > it >> seems (apparently) to have a new life in 1.2.27 and possibly other recent >> versions. >> >> >> >> If a user puts a double slash (http://mysite.com//myapp/myjsp.jsp) instead >> of a single slash in a url, apache does not recognize it as part of a > normal >> pattern (eg JkMount /myapp/*.jsp) to be forwarded to tomcat and displays > it >> as html/text instead of as a jsp, revealing the source. > > Which is just one of the many reasons why it is a bad idea to overlap > httpd's docRoot and Tomcat's docBase. > > Mark > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
