RE: cvs commit: jakarta-tomcat-connectors/jk/native2/server/isapi jk_isapi_plugin.c

["Ignacio J. Ortega" <na...@siapi.es>]

Larry,

> 
> Sorry, Clicked the wrong button. :)
> 

No problem, :), i undertands the concerns, and the change seems a little
daring i know.. anyway, reviewing by peers works, thanks god.. :)

> To finish the thought, with the change below, does
> 
>     http://localhost/test%2F/test.jsp
> 
> still go to Tomcat?  Or is it blocked from going
> to Tomcat because it is a "bad" URL.  If it doesn't
> go to Tomcat, how do we know some other filter in the
> chain isn't going to serve it statically?
> 

take into account that to be able to map we first need to unescape the
url. it's the unescaping function the one that gives this errors, so we
can only block these url prior to do the mapping, so we really dont know
if the url should go to tomcat or not at this point.. 

And It's almost the same case that in apache you need to explicitely
block WEB-INF, if you want block people from look at there when using a
configuration where tomcat context it's directly configured as an apache
served directory.. something that needs to be tweaked to be secure..

I think this is the same case, it's an advanced configuration, there are
posible source disclosures, but it's a risk you can sort out.. like in
the apache WEB-INF case..

And the casual and default configuration, doesnt have this "advance"
features..

Do you see other way to fix 16759?

Saludos, 
Ignacio J. Ortega