Bug#429751: 400 status code response from libapache2-mod-jk when used with mod-rewrite
Andy Hamilton
vegandy at gmail.com
Wed Jun 20 16:03:17 UTC 2007
On 6/19/07, Michael Koch <konqueror at gmx.de> wrote:
>
> The problem seems to be related to the ForwardURICompatUnparsed-Option
> being default since mod_jk 1.2.23. This was made default because of the
> security advisory CVS-2007-1860. When you are sure this security issue
> can't be exposed on your system please change the default options to us
> ForwardURICompat instead of ForwardURICompatUnparsed. This re-enables
> the old behavior:
>
> JkOptions +ForwardURICompat
>
> Please report back if this fixes your issues.
Thanks for pointing me in the right direction. I saw bug 425836, but
didn't follow the link to the tomcat to see that it might effect
mod_rewrite functionality.
Yep, both
JkOptions +ForwardURICompat
and
JkOptions +ForwardURIEscaped
work with mod_rewrite.
I decided to use ForwardURIEscaped because of the warning against
using ForwardURICompat with prefix JkMounts. Since we're not using
URL encoded session IDs, it seemed like a better way to go.
http://tomcat.apache.org/connectors-doc/reference/apache.html#Forwarding
I was unable to reproduce the vulnerability with a specially crafted
URL with version 1.2.21-1, but maybe my URL wasn't special
enough... I tried to follow the example from the Red Hat's bugzilla.
Thanks again for your help!
Andy Hamilton
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.alioth.debian.org/pipermail/pkg-java-maintainers/attachments/20070620/6718c853/attachment.htm
More information about the pkg-java-maintainers
mailing list