Apache Tomcat JK Connector 1.2.23がリリースされました。

Apache Tomca JK Connector 1.2.23がリリースされました。


mod_jk before version 1.2.23 by default decoded request URLs inside Apache httpd and forwarded the encoded URL to Tomcat, which itself did a second decoding. This made it possible to pass a prefix JkMount for /someapp, but actually access /otherapp on Tomcat. Starting with version 1.2.23 by default mod_jk forwards the original unchanged request URL to Tomcat. You can achieve the same level of security for older versions by setting the forwarding option "JkOption ForwardURICompatUnparsed".



Using JkOptions ForwardURICompatUnparsed, the forwarded URI will be unparsed. It's spec compliant and also the safest option. It will always forward the original request URI, so rewriting URIs with mod_rewrite and then forwarding the rewritten URI will not work.