You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Christopher Swingler <cs...@cappex.com> on 2007/08/08 00:19:39 UTC
Issues with mod_jk and escaped sequences in URLs (particularly %2F)
Hi there list.
We're experiencing an odd issue when a URL contains an escaped sequence, in particular, the escaped sequence for forward slash (%2F). We have a servlet defined in httpd.conf as such:
JkMount /search* worker1
If we look up "http://example.org/search/University+Of+Foo " it works fine. However, looking up something like "http://example.org/search/Foo%2FBar+College" will result in the URL NOT being handled by mod_jk--Apache HTTPD will handle it, and of course return a 404.
192.168.111.104 - - [07/Aug/2007:17:05:06 -0500] "GET /search/Foo%2FBar+College HTTP/1.1" 404 2994 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6"
On the other hand, "http://example.org/search/Foo/Bar+College" works fine:
192.168.111.104 - - [07/Aug/2007:17:08:46 -0500] "GET /search/Foo/Bar+College HTTP/1.1" 200 15432 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6"
I feel like I've got something configured absolutely wrong, but I can't see what.
Thanks in advance for your suggestions.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Issues with mod_jk and escaped sequences in URLs (particularly
%2F)
Posted by Mark Thomas <ma...@apache.org>.
Christopher Swingler wrote:
> Hi there list.
>
> We're experiencing an odd issue when a URL contains an escaped sequence, in particular, the escaped sequence for forward slash (%2F). We have a servlet defined in httpd.conf as such:
Take a look at:
- http://tomcat.apache.org/security-5.html CVE-2007-0450
- http://tomcat.apache.org/security-jk.html CVE-2007-1860
It should be a case of 'just' using the latest versions and setting
the right combination of options.
Mark
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Issues with mod_jk and escaped sequences in URLs (particularly
%2F)
Posted by Rainer Jung <ra...@kippdata.de>.
Hi Christopher,
- Which version of Apache?
- Which version of mod_jk?
- Which platform?
Most likely you only need to add
AllowEncodedSlashes On
to your Apache configuration (see the Apache httpd docs). Such URLs get
otherwise rejected by Apache itself. Note that there are goodf security
reasons for doing so, i.e. allowing encoded slashes give attackers a lot
of possibilities to craft URLs, which might pass your security restrictions.
Please test aIf you really need to use encoded slashes, you should
consider upgrading to the forthcoming version 1.2.25 of mod_jk. The
release contains significant improvements with respect to handling URLs
with encoded characters when forwarding to Tomcat.
We are in the process of voting for this release, and there have been a
couple of changes how we handle encoded URLs.
You can find this version at:
http://tomcat.apache.org/dev/dist/tomcat-connectors/jk/
Note: This is not yet an official release. The vote looks good, so I
expect that we will announce the final release on Friday or Saturday
(without changes to the code).
You can easily find out, if Apache passes a URL to mod_jk by setting the
log level of mod_jk to debug. This produces a lot of log lines (if
mod_jk actually sees the request) and is not meant for production purposes.
Regards,
Rainer
Christopher Swingler wrote:
> Hi there list.
>
> We're experiencing an odd issue when a URL contains an escaped
> sequence, in particular, the escaped sequence for forward slash
> (%2F). We have a servlet defined in httpd.conf as such:
>
> JkMount /search* worker1
>
> If we look up "http://example.org/search/University+Of+Foo " it works
> fine. However, looking up something like
> "http://example.org/search/Foo%2FBar+College" will result in the URL
> NOT being handled by mod_jk--Apache HTTPD will handle it, and of
> course return a 404.
>
> 192.168.111.104 - - [07/Aug/2007:17:05:06 -0500] "GET
> /search/Foo%2FBar+College HTTP/1.1" 404 2994 "-" "Mozilla/5.0
> (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Gecko/20070725
> Firefox/2.0.0.6"
>
> On the other hand, "http://example.org/search/Foo/Bar+College" works
> fine:
>
> 192.168.111.104 - - [07/Aug/2007:17:08:46 -0500] "GET
> /search/Foo/Bar+College HTTP/1.1" 200 15432 "-" "Mozilla/5.0
> (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Gecko/20070725
> Firefox/2.0.0.6"
>
> I feel like I've got something configured absolutely wrong, but I
> can't see what.
>
> Thanks in advance for your suggestions.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org