You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2008/01/21 16:07:52 UTC
DO NOT REPLY [Bug 44275] New: - isapi_redirect.dll denies access to URI's with META-INF / WEB-INF anywere in the URI
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=44275>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=44275
Summary: isapi_redirect.dll denies access to URI's with META-INF
/ WEB-INF anywere in the URI
Product: Tomcat 6
Version: 6.0.14
Platform: All
OS/Version: All
Status: NEW
Severity: blocker
Priority: P1
Component: Connectors
AssignedTo: tomcat-dev@jakarta.apache.org
ReportedBy: hburde@merentis.com
The Netbeans IDE (5/6 with JSF projects) constructs Path names in web projects
which are blocked by the isapi_redirector. This is *not* changeable in Netbeans
(verified in the Netbeans List).
Running some tests we discovered that allmost all Javascript was
filtered out and we got mostly blank pages. The Reason was that the
isapi_redirector filters out every access to *any* URI which *contains*
META-INF / WEB-INF ANYWERE in the PATH.
Example : javascript $CONTEXT/theme/META-INF/json/json.jsf
[ typical *.js path extracted from Browser: source ..]
This is NOT the proteced META-INF config directory - its just a Path which
accidential contains META-INF !!!
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 44275] - isapi_redirect.dll denies access to URI's with META-INF / WEB-INF anywere in the URI
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=44275>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=44275
------- Additional Comments From hburde@merentis.com 2008-01-23 00:24 -------
HI;
With Netbeans 6 and maybe 5.x this is very serious. Every JSF Webapplication
wont work when run over the isapi_redirector. I would suggest to either enhence
the config to explizit List those pathes or provide a switch to deaktivate this
filter.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 44275] - isapi_redirect.dll denies access to URI's with META-INF / WEB-INF anywere in the URI
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=44275>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=44275
------- Additional Comments From hburde@merentis.com 2008-01-23 23:57 -------
(In reply to comment #3)
> Why does isapi_redirector filter it ? I thought TC itself would receive the
> request, calculate the meaning of the request is referencing a toplevel path
> within a context and return a 403/404/whatever.
>
> isapi_redirect surely can be transparent in this regard ?
See Bug ID39614 for a explanation. The rediretor does some (redundant)
additional filtering independent of tomcat (jk_isapi_plugin.c / uri_is_web_inf :
looks for uri *containing* meta-inf / web-inf).
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 44275] - isapi_redirect.dll denies access to URI's with META-INF / WEB-INF anywere in the URI
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=44275>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=44275
------- Additional Comments From markt@apache.org 2008-01-26 10:08 -------
To repeat what I said earlier in this bug;
If you have a patch for this issue that you believe would be safe, please feel
free to re-open this issue and attach your patch for review.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 44275] - isapi_redirect.dll denies access to URI's with META-INF / WEB-INF anywere in the URI
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=44275>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=44275
------- Additional Comments From darryl@darrylmiles.org 2008-01-26 09:53 -------
Maybe someone should remove the check like mtruk suggests in
http://issues.apache.org/bugzilla/show_bug.cgi?id=39614#c1 and actually provide
a test case that proves the resulting system violates the servlet spec.
isapi_redirector is a "connector"
Apache Tomcat is a "servlet container"
Since it is the servlet container specification which is being cited as the
reason for the check and it is my believe that no matter what connector the
inbound HTTP requests come in via (Coyete, AJP/mod_jk/isapi_redirector) that
Apache Tomcat will police the situation and return a 404 as the servlet
specification requires.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 44275] - isapi_redirect.dll denies access to URI's with META-INF / WEB-INF anywere in the URI
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=44275>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=44275
------- Additional Comments From hburde@merentis.com 2008-01-24 06:38 -------
(In reply to comment #5)
> What "explanation" ? Not one that I can see. TC already has this check in
> place so whats that reason again to not pass it through ?
Dunno - i reported this as a Bug for that reason (useless check). The
'explanation' is something i got as reply when i reported the bug (not fixed
because ..).
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 44275] - isapi_redirect.dll denies access to URI's with META-INF / WEB-INF anywere in the URI
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=44275>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=44275
------- Additional Comments From darryl@darrylmiles.org 2008-01-24 02:55 -------
What "explanation" ? Not one that I can see. TC already has this check in
place so whats that reason again to not pass it through ?
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 44275] - isapi_redirect.dll denies access to URI's with META-INF / WEB-INF anywere in the URI
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=44275>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=44275
------- Additional Comments From darryl@darrylmiles.org 2008-01-23 21:41 -------
Why does isapi_redirector filter it ? I thought TC itself would receive the
request, calculate the meaning of the request is referencing a toplevel path
within a context and return a 403/404/whatever.
isapi_redirect surely can be transparent in this regard ?
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 44275] - isapi_redirect.dll denies access to URI's with META-INF / WEB-INF anywere in the URI
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=44275>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=44275
markt@apache.org changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |DUPLICATE
------- Additional Comments From markt@apache.org 2008-01-21 13:24 -------
Part of the reason the duplicate is WONTFIX since there is no way for the
isapi_redirector to differentiate between /foo/WEB-INF when foo is a context and
when foo is just a sub-directory of the ROOT web application.
When this has been raised in the past, AFAIR the general consensus was to err on
the side of safety and risk blocking a few requests that are valid.
If you have a patch for this issue that you believe would be safe, please feel
free to re-open this issue, attach and attach your patch for review.
*** This bug has been marked as a duplicate of 39614 ***
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org