It was reported that the patch CVE-2007-0450 was insufficient as a carefully
crafted encoded URL could still bypass a proxy. However this is due to an
interaction with mod_jk, where mod_jk sends a decoded URL to Tomcat but it
should send a raw URL.
What mod_jk sends to Tomcat
12 34 01 A9 02 02 00 08 48 54 54 50 2F 31 2E 31 - .4......HTTP/1.1
00 00 1A 2F 6D 79 61 70 70 2F 25 32 45 25 32 45 - .../myapp/%2E%2E
2F 6D 61 6E 61 67 65 72 2F 68 74 6D 6C 00 00 0C - /manager/html...
Tomcat decodes the %2E%2E into .. and normalises /myapp/../manager/html
The Tomcat security team give this advice:
Due to the impossibility to guarantee that all URLs are handled by Tomcat as
they are in every possible proxy server, Tomcat should always be secured as if
no proxy restricting context access was used.
Note that this issue is not yet public.
Jean-Frederic said that "JkOptions ForwardURICompatUnparsed" should prevent
the problem and mod_jk code should be changed to use it as default value.
(The actual value ForwardURICompat breaks the spec's).
(In reply to comment #1)
> Jean-Frederic said that "JkOptions ForwardURICompatUnparsed" should prevent
> the problem and mod_jk code should be changed to use it as default value.
> (The actual value ForwardURICompat breaks the spec's).
ForwardURICompat is the default option and can be overriden with something like
JkOptions +ForwardURICompatUnparsed in the conf file. Note that we dont install
a conf files for mod_jk - we have samples, so the change cant be made in the
conf file. Our samples dont mention JkOptions either so customers using them
will use the default.
Is Jean-Frederic suggesting that the code be made to use
ForwardURICompatUnparsed by default? Is there a patch for this? Note that
documentation would need to be updated for this as well since most of it
suggests that the default is ForwardURICompat.
[Adding Jean-Frederic to CC list]
JF - Can you take a look at the above and let me know what you think?
Yes the mod_jk code should be made to use ForwardURICompatUnparsed by default.
No there isn't a patch for the moment.
(In reply to comment #4)
> Yes the mod_jk code should be made to use ForwardURICompatUnparsed by default.
> No there isn't a patch for the moment.
Thanks for the clarification. Please update the BZ when a patch is available.
Created attachment 154748 [details]
Patch for tomcat-connectors change the default value of JK_OPT_FWDURIDEFAUL
Patch for svn.apache.org/repos/asf/tomcat/connectors/trunk (15/05/2007).
It changes the default behaviour of mod_jk and have not yet been committed in
te ASF repos.
this is now public at http://tomcat.apache.org/security-jk.html, removing embargo