Bug#429751: 400 status code response from libapache2-mod-jk when used with mod-rewrite
vegandy at gmail.com
Wed Jun 20 16:03:17 UTC 2007
On 6/19/07, Michael Koch <konqueror at gmx.de> wrote:
> The problem seems to be related to the ForwardURICompatUnparsed-Option
> being default since mod_jk 1.2.23. This was made default because of the
> security advisory CVS-2007-1860. When you are sure this security issue
> can't be exposed on your system please change the default options to us
> ForwardURICompat instead of ForwardURICompatUnparsed. This re-enables
> the old behavior:
> JkOptions +ForwardURICompat
> Please report back if this fixes your issues.
Thanks for pointing me in the right direction. I saw bug 425836, but
didn't follow the link to the tomcat to see that it might effect
work with mod_rewrite.
I decided to use ForwardURIEscaped because of the warning against
using ForwardURICompat with prefix JkMounts. Since we're not using
URL encoded session IDs, it seemed like a better way to go.
I was unable to reproduce the vulnerability with a specially crafted
URL with version 1.2.21-1, but maybe my URL wasn't special
enough... I tried to follow the example from the Red Hat's bugzilla.
Thanks again for your help!
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the pkg-java-maintainers