You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2020/06/02 10:25:06 UTC
[tomcat] branch 9.0.x updated: Fix BZ 64483 Log a warning when an
AJP request is rejected
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/9.0.x by this push:
new 20e963e Fix BZ 64483 Log a warning when an AJP request is rejected
20e963e is described below
commit 20e963e78e5a1467276fdd25c7db67570605ceaf
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Tue Jun 2 11:22:35 2020 +0100
Fix BZ 64483 Log a warning when an AJP request is rejected
---
java/org/apache/coyote/ajp/AjpProcessor.java | 14 ++++----------
java/org/apache/coyote/ajp/LocalStrings.properties | 1 +
webapps/docs/changelog.xml | 4 ++++
3 files changed, 9 insertions(+), 10 deletions(-)
diff --git a/java/org/apache/coyote/ajp/AjpProcessor.java b/java/org/apache/coyote/ajp/AjpProcessor.java
index 31e2239..88f1cb7 100644
--- a/java/org/apache/coyote/ajp/AjpProcessor.java
+++ b/java/org/apache/coyote/ajp/AjpProcessor.java
@@ -28,7 +28,6 @@ import java.security.cert.X509Certificate;
import java.util.Collections;
import java.util.HashSet;
import java.util.Set;
-import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.servlet.http.HttpServletResponse;
@@ -771,17 +770,12 @@ public class AjpProcessor extends AbstractProcessor {
// All 'known' attributes will be processed by the previous
// blocks. Any remaining attribute is an 'arbitrary' one.
Pattern pattern = protocol.getAllowedRequestAttributesPatternInternal();
- if (pattern == null) {
+ if (pattern != null && pattern.matcher(n).matches()) {
+ request.setAttribute(n, v);
+ } else {
+ log.warn(sm.getString("ajpprocessor.unknownAttribute", n));
response.setStatus(403);
setErrorState(ErrorState.CLOSE_CLEAN, null);
- } else {
- Matcher m = pattern.matcher(n);
- if (m.matches()) {
- request.setAttribute(n, v);
- } else {
- response.setStatus(403);
- setErrorState(ErrorState.CLOSE_CLEAN, null);
- }
}
}
break;
diff --git a/java/org/apache/coyote/ajp/LocalStrings.properties b/java/org/apache/coyote/ajp/LocalStrings.properties
index ab377eb..467035d 100644
--- a/java/org/apache/coyote/ajp/LocalStrings.properties
+++ b/java/org/apache/coyote/ajp/LocalStrings.properties
@@ -26,6 +26,7 @@ ajpprocessor.header.tooLong=Header message of length [{0}] received but the pack
ajpprocessor.readtimeout=Timeout attempting to read data from the socket
ajpprocessor.request.prepare=Error preparing request
ajpprocessor.request.process=Error processing request
+ajpprocessor.unknownAttribute=Rejecting request due to unknown request attribute [{0}] received from reverse proxy
ajpprotocol.noSSL=SSL is not supported with AJP. The SSL host configuration for [{0}] was ignored
ajpprotocol.noSecret=The AJP Connector is configured with secretRequired="true" but the secret attribute is either null or "". This combination is not valid.
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index dc7b498..f82b323 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -91,6 +91,10 @@
Expose server certificate through the <code>SSLSupport</code>
interface. (remm)
</update>
+ <add>
+ <bug>64483</bug>: Log a warning if an AJP request is rejected because it
+ contains an unexpected request attribute. (markt)
+ </add>
<fix>
<bug>64485</bug>: Fix possible resource leak geting last modified from
<code>ConfigurationSource.Resource</code>. (remm)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org