You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Palle Girgensohn <gi...@pingpong.net> on 2003/06/24 00:45:36 UTC

mod_jk && multiple slashes reveals jsp code

Hi,

When using mod_jk and apache13:

JkMount /app/*jsp ajp13

will redirect requests like http://server/app/foobar.jsp to tomcat, just 
fine.

But, http://server//app/foobar.jsp will not be catched by JkMount, and 
apache will send the jsp source code to the browser. Of course, a rewrite 
can hinder this, but is it really meant to be this way? Is it just me 
having problems?

/Palle


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org

Re: Re: mod_jk && multiple slashes reveals jsp code

Posted by Earthlink Abuse Department <ab...@abuse.earthlink.net>.
Hello,

You are receiving this message in follow-up to a report
received by the EarthLink Abuse Department.  You may have
submitted this report to a number of addresses including but
not limited to abuse@abuse.earthlink.net,
abuse@earthlink.net, abuse@mindspring.com, abuse@netcom.com,
or abuse@onemain.com.

Most reports of network abuse sent to this department fall
into a few recognizable categories (spam, cracking, viruses,
etc.).  To increase efficiency, our filters scan incoming
reports and attempt to determine the general type of issue
being reported.

We were not able to process your report because it does not 
appear to include the information needed for EarthLink Abuse 
to begin it's investigation. Evidence to Abuse should always 
include the IP address of the offending party and a valid 
timestamp, which includes time, date and timezone.

To learn how to report spam so action is taken:
http://spam.abuse.net/userhelp/howtocomplain.shtml

To learn how to locate and interpret e-mail headers in your 
e-mail client:
http://support.earthlink.net/support/TUTORIALS/email/mbx_interpret_headers.jsp

Other useful lookup tools:
http://samspade.org/

Once you have included the pertinent information needed,
please resubmit your report, and include this autoresponse. 
Your report will then be reprocessed by our filters.

However, you should expect to receive another auto-response
after your resubmission is re-examined, but due to the large
number of reports we receive, please understand that you may 
not receive a personal response.

Our policies can be found at the following page:

http://earthlink.net/about/policies/

Thanks,
The EarthLink Abuse Staff


>Marc Slemko wrote:
>> On Thu, 26 Jun 2003, Henri Gomez wrote:
>> 
>> By describing the problems, I'm hoping that someone who does have the
>> time right now can actually make one of the multitude of Apache --> tomcat
>> connectors into something production quality without gaping security,
>> performance, and stability issues.  If not, then it will have to wait
>> until I am at a point in my day job where we need to be deploying our
>> applications and they need to actually work right and I'll worry about
>> it then.
>> 
>> Oh, for whoever is trying to actually make mod_jk work right... you may
>> be able to do a "SetHandler jakarta-servlet" inside a Files section
>> in a Directory section, not sure if it supports it properly or not, although
>> that doesn't let you specify a specific worker.

>Nice whine ;-)

>If you someday choose to dedicate the same kind of effort on 
>contributing to TC, I would be very happy (a a lot of people would be 
>very grateful too) :)

>Remy


>---------------------------------------------------------------------
>To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
>For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org

Re: mod_jk && multiple slashes reveals jsp code

Posted by Remy Maucherat <re...@apache.org>.
Marc Slemko wrote:
> On Thu, 26 Jun 2003, Henri Gomez wrote:
> 
> By describing the problems, I'm hoping that someone who does have the
> time right now can actually make one of the multitude of Apache --> tomcat
> connectors into something production quality without gaping security,
> performance, and stability issues.  If not, then it will have to wait
> until I am at a point in my day job where we need to be deploying our
> applications and they need to actually work right and I'll worry about
> it then.
> 
> Oh, for whoever is trying to actually make mod_jk work right... you may
> be able to do a "SetHandler jakarta-servlet" inside a Files section
> in a Directory section, not sure if it supports it properly or not, although
> that doesn't let you specify a specific worker.

Nice whine ;-)

If you someday choose to dedicate the same kind of effort on 
contributing to TC, I would be very happy (a a lot of people would be 
very grateful too) :)

Remy


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org

Re: mod_jk && multiple slashes reveals jsp code

Posted by Henri Gomez <hg...@apache.org>.
Marc Slemko wrote:
> On Thu, 26 Jun 2003, Henri Gomez wrote:
> 
> 
>>Could we stop useless critics and flams and be more positives.
> 
> 
> I'm sorry that you think it is useless to point out the specific areas
> where mod_jk and mod_jk2 are doing things wrong.

If jk's does some things wrong, we're open to make them evolve, that's a
devel list after all.

>>It's open source, and if you have objections, you're welcome to provide
>>fixes.
> 
> 
> To be honest, that isn't too appealing given the sad state of all
> the different connectors available and the extremely poor state of
> documentation about what is what and how things are supposed to
> work.  But that is irrelevant, and doesn't change the validity of pointing
> out what things are problems and why.

Sad state, are you sure ? There is plenty of sites which use it everyday 
for their productions purposes.

No documentation, you're kidding, did you take a look at online 
documentation at :

http://jakarta.apache.org/builds/jakarta-tomcat-connectors/jk/doc/

http://jakarta.apache.org/builds/jakarta-tomcat-connectors/jk2/doc/


> What is the release plan for mod_jk2?  Is there any plan for making it
> production quality?  There doesn't seem to be much happening with it.
> Is one better served to work on mod_jk instead and give up on mod_jk2?

We need more contributors, so once again you're welcome.
Mladen and Costin make a great works in jk2 and there is now need
for more serious tests and fix before it came production ready.


>>Never forget that mod_jk WAS DESIGNED to be cross web server compatible
>>and that's why some of the Apache functions are not used.
> 
> 
> mod_jk is the Apache specific module.  The fact that there are other
> modules using some shared code that are specific to other webservers
> doesn't change anything.

Of course but the 'common' modules make handle things which could be 
some time delegated to specific webservers, that's one of the big diff 
between jk and jk2.


> Web server specific plugins are the things that should tie tomcat in
> with the way the particular webserver works.

All connectors works is done now on jakarta-tomcat-connectors and jk, 
jk2, coyote, http11 live there and are use by TC3/4/5.

> It is quite sad to see how much worse webserver plugins have gotten
> since the days of mod_jserv.

Well there is 3 solutions for you :

- You contribute code to make mod_jk/mod_jk2 better.

- You get mod_jserv sources and make a successor, ie mod_jserv2, which
   will deprecate mod_jk easily if it perform better.

- You develop a whole new connector module for
   Apache 1.3/Apache 2.0/IIS/Domino/iPlanet.


Thanks to stop this flam thread if you only have critics to formulate 
and no suggestions or fixes.

This is tomcat-dev list, pas le 'bureau des pleurs'.



---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org

Re: mod_jk && multiple slashes reveals jsp code

Posted by Marc Slemko <ma...@znep.com>.
On Thu, 26 Jun 2003, Henri Gomez wrote:

> Could we stop useless critics and flams and be more positives.

I'm sorry that you think it is useless to point out the specific areas
where mod_jk and mod_jk2 are doing things wrong.

> It's open source, and if you have objections, you're welcome to provide
> fixes.

To be honest, that isn't too appealing given the sad state of all
the different connectors available and the extremely poor state of
documentation about what is what and how things are supposed to
work.  But that is irrelevant, and doesn't change the validity of pointing
out what things are problems and why.

What is the release plan for mod_jk2?  Is there any plan for making it
production quality?  There doesn't seem to be much happening with it.
Is one better served to work on mod_jk instead and give up on mod_jk2?

>
> Never forget that mod_jk WAS DESIGNED to be cross web server compatible
> and that's why some of the Apache functions are not used.

mod_jk is the Apache specific module.  The fact that there are other
modules using some shared code that are specific to other webservers
doesn't change anything.

Web server specific plugins are the things that should tie tomcat in
with the way the particular webserver works.

It is quite sad to see how much worse webserver plugins have gotten
since the days of mod_jserv.

> BTW, on the Tomcat side, there is some URI checks since this problem
> could also appears when using the built-in http connector.
>
> In the actual case the problem seems to be that Apache handle the jsp
> directly since it didn't forward it to tomcat (probably because apache
> and tomcat run on the same machine)

The problem isn't that Apache doesn't forward it, the problem is that
mod_jk doesn't forward it because it reimplements things that Apache
can do for it a lot better and in a way that ensures it is compatible
with everything else happening in the webserver.  The same applies to
other webservers.  The mapping of what things should be passed to
tomcat and what things shouldn't is a security critical area that
can not be glossed over with a "ahh, we'll just make up our own way of
doing things since it means we don't have to bother with the webserver".
It is a plugin for the webserver, you have to bother with how the webserver
works.

It was a bad design decision to take the shortcut of trying to embed
all the configuration within shared code and reuse it for every webserver.

By describing the problems, I'm hoping that someone who does have the
time right now can actually make one of the multitude of Apache --> tomcat
connectors into something production quality without gaping security,
performance, and stability issues.  If not, then it will have to wait
until I am at a point in my day job where we need to be deploying our
applications and they need to actually work right and I'll worry about
it then.

Oh, for whoever is trying to actually make mod_jk work right... you may
be able to do a "SetHandler jakarta-servlet" inside a Files section
in a Directory section, not sure if it supports it properly or not, although
that doesn't let you specify a specific worker.

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org

Re: mod_jk && multiple slashes reveals jsp code

Posted by Henri Gomez <hg...@apache.org>.
Palle Girgensohn wrote:
> --On onsdag, juni 25, 2003 11.16.02 +0200 Henri Gomez 
> <hg...@apache.org> wrote:
> 
>> Palle Girgensohn wrote:
>>
>>> Hi,
>>>
>>> When using mod_jk and apache13:
>>>
>>> JkMount /app/*jsp ajp13
>>>
>>> will redirect requests like http://server/app/foobar.jsp to tomcat, just
>>> fine.
>>>
>>> But, http://server//app/foobar.jsp will not be catched by JkMount, and
>>> apache will send the jsp source code to the browser. Of course, a
>>> rewrite can hinder this, but is it really meant to be this way? Is it
>>> just me having problems?
>>
>>
>> Didn't have such behaviour with mod_jk 1.2.4 and tomcat 3.3.1a, got
>> a 404 instead.
>>
>> BTW, I'm using
>>
>> JkMount /app/* ajp13
> 
> 
> That's a different rule, match rule instead of suffix rule. The same 
> code is responsible, though. If you get a 404, it is apache that cannot 
> find the file you try to access for some other reason. The request never 
> gets to tomcat. I too get 404 with that rule when accessing servlets 
> this way, but I get jsp source code.
> 
> Problem is that mod_jk only does a strncmp and never bothers to check 
> for anomalities in the URL. The mod_jk design never cares about this 
> problem, which is strange. It is coded this way on purpose. It not a 
> bug, it is a design flaw. :(

Could we stop useless critics and flams and be more positives.

It's open source, and if you have objections, you're welcome to provide 
fixes.

Never forget that mod_jk WAS DESIGNED to be cross web server compatible 
and that's why some of the Apache functions are not used.

BTW, on the Tomcat side, there is some URI checks since this problem
could also appears when using the built-in http connector.

In the actual case the problem seems to be that Apache handle the jsp
directly since it didn't forward it to tomcat (probably because apache
and tomcat run on the same machine)





---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org

Re: mod_jk && multiple slashes reveals jsp code

Posted by Palle Girgensohn <gi...@pingpong.net>.
--On onsdag, juni 25, 2003 11.16.02 +0200 Henri Gomez <hg...@apache.org> 
wrote:

> Palle Girgensohn wrote:
>> Hi,
>>
>> When using mod_jk and apache13:
>>
>> JkMount /app/*jsp ajp13
>>
>> will redirect requests like http://server/app/foobar.jsp to tomcat, just
>> fine.
>>
>> But, http://server//app/foobar.jsp will not be catched by JkMount, and
>> apache will send the jsp source code to the browser. Of course, a
>> rewrite can hinder this, but is it really meant to be this way? Is it
>> just me having problems?
>
> Didn't have such behaviour with mod_jk 1.2.4 and tomcat 3.3.1a, got
> a 404 instead.
>
> BTW, I'm using
>
> JkMount /app/* ajp13

That's a different rule, match rule instead of suffix rule. The same code 
is responsible, though. If you get a 404, it is apache that cannot find the 
file you try to access for some other reason. The request never gets to 
tomcat. I too get 404 with that rule when accessing servlets this way, but 
I get jsp source code.

Problem is that mod_jk only does a strncmp and never bothers to check for 
anomalities in the URL. The mod_jk design never cares about this problem, 
which is strange. It is coded this way on purpose. It not a bug, it is a 
design flaw. :(

/Palle




---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org

Re: mod_jk && multiple slashes reveals jsp code

Posted by Henri Gomez <hg...@apache.org>.
Palle Girgensohn wrote:
> Hi,
> 
> When using mod_jk and apache13:
> 
> JkMount /app/*jsp ajp13
> 
> will redirect requests like http://server/app/foobar.jsp to tomcat, just 
> fine.
> 
> But, http://server//app/foobar.jsp will not be catched by JkMount, and 
> apache will send the jsp source code to the browser. Of course, a 
> rewrite can hinder this, but is it really meant to be this way? Is it 
> just me having problems?

Didn't have such behaviour with mod_jk 1.2.4 and tomcat 3.3.1a, got
a 404 instead.

BTW, I'm using

JkMount /app/* ajp13





---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org