Bug 32660 - Apache returning code when using the Location directive
Apache returning code when using the Location directive
Status: RESOLVED INVALID
Product: Apache httpd-2
Classification: Unclassified
Component: All
2.0.46
PC Windows XP
: P2 normal (vote)
: ---
Assigned To: Apache HTTPD Bugs Mailing List
:
Depends on:
Blocks:
  Show dependency tree
 
Reported: 2004-12-12 21:03 UTC by Aflatoon Aflatooni
Modified: 2004-12-12 17:51 UTC (History)
0 users



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Aflatoon Aflatooni 2004-12-12 21:03:31 UTC
Hi,
This could be a security bug.

I am running apache and tomcat together. The Apache handles all the web 
traffic and passes the JSP files to the Tomcat workers. I have this configured 
in the virtualhost.

This is done using the following configuration in the httpd.conf.

<VirtualHost www.yasna.com:80>
    ServerAdmin support@yasna.com
    ServerName www.yasna.com
    ServerAlias yasna.com
    DocumentRoot /web/yasna
    ErrorLog /web/yasna/logs/og-error_log
    RewriteEngine On
    ErrorDocument 500 /error/index.html
    ErrorDocument 404 /error/notfound.html
    CustomLog /web/yasna/logs/og-access_log combined
        <Location "/*.jsp">
                JkUriSet worker ajp13:localhost:8009
        </Location>
        <Location "/servlet/*">
                JkUriSet worker ajp13:localhost:8009
        </Location>
</VirtualHost>

Everything is fine when I access the site using the http://www.yasna.com and 
all the jsp files are returning proper (parsed) pages. 

But if I access the site using the server alias http://yasna.com the jsp pages 
on the root directory is returned properly only. The pages in the sub-
directory returns the jsp code. To fix the problem I had to make modifications 
to the configuration and add the following lines:
        <Location "/*/*.jsp">
                JkUriSet worker ajp13:localhost:8009
        </Location>
        <Location "/*/*/*.jsp">
                JkUriSet worker ajp13:localhost:8009
        </Location>
And this works for me, as I only have 2 levels of subdirectories.
With the updated configuration everything is working now, but this is a 
serious problem. 

Please note that this problem exists only when I access the site using the 
server alias. When I access the site using http://www.yasna.com all the jsp 
files in all the directories are parsed by tomcat and returned properly.

Aflatoon
Comment 1 Aflatoon Aflatooni 2004-12-12 21:06:35 UTC
I thought I should add a comment to clarify things:
So the following pages work properly

http://www.yasna.com/test.jsp
http://www.yasna.com/test/test.jsp
http://yasna.com/test.jsp

But the following page doesn't work:

http://yasna.com/test/test.jsp

I get the jsp code and the page isn't parsed by Tomcat.
Please comment
Aflatoon
Comment 2 Nick Kew 2004-12-13 02:51:39 UTC
Please use a user support forum for configuration questions.  The <Location>
directive is working correctly; it just isn't what you should be using.