Apache Tomcat JK Connector 1.2.23がリリースされました。

Apache Tomca JK Connector 1.2.23がリリースされました。

変更内容の詳細ですが、以下の通りだそうです。


mod_jk before version 1.2.23 by default decoded request URLs inside Apache httpd and forwarded the encoded URL to Tomcat, which itself did a second decoding. This made it possible to pass a prefix JkMount for /someapp, but actually access /otherapp on Tomcat. Starting with version 1.2.23 by default mod_jk forwards the original unchanged request URL to Tomcat. You can achieve the same level of security for older versions by setting the forwarding option "JkOption ForwardURICompatUnparsed".

ForwardURICompatUnparsedについては以下に説明が書かれています。

以下の説明によると、rewriteされたURLの場合にはForwardURICompatUnparsedについて注意が必要ですね。


Using JkOptions ForwardURICompatUnparsed, the forwarded URI will be unparsed. It's spec compliant and also the safest option. It will always forward the original request URI, so rewriting URIs with mod_rewrite and then forwarding the rewritten URI will not work.