You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2020/02/04 21:07:24 UTC

[tomcat] branch master updated: Tweak AJP improvements

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/master by this push:
     new 35f6d6e  Tweak AJP improvements
35f6d6e is described below

commit 35f6d6e52aca0a6e5ace2572a8bae3b9f77babc4
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Tue Feb 4 21:07:02 2020 +0000

    Tweak AJP improvements
    
    Better attribute name for allowedRequestAttributesPattern
    Add explicit address attribute to commented out AJP connector
---
 conf/server.xml                                          |  5 ++++-
 java/org/apache/coyote/ajp/AbstractAjpProtocol.java      | 14 +++++++-------
 java/org/apache/coyote/ajp/AjpProcessor.java             |  2 +-
 test/org/apache/coyote/ajp/TestAbstractAjpProcessor.java |  2 +-
 webapps/docs/config/ajp.xml                              |  4 ++--
 webapps/docs/security-howto.xml                          |  2 +-
 6 files changed, 16 insertions(+), 13 deletions(-)

diff --git a/conf/server.xml b/conf/server.xml
index 5d9d57a..bd3ed3e 100644
--- a/conf/server.xml
+++ b/conf/server.xml
@@ -114,7 +114,10 @@
 
     <!-- Define an AJP 1.3 Connector on port 8009 -->
     <!--
-    <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
+    <Connector protocol="AJP/1.3"
+               address="::1"
+               port="8009" 
+               redirectPort="8443" />
     -->
 
     <!-- An Engine represents the entry point (within Catalina) that processes
diff --git a/java/org/apache/coyote/ajp/AbstractAjpProtocol.java b/java/org/apache/coyote/ajp/AbstractAjpProtocol.java
index a2f5e28..63ff6c5 100644
--- a/java/org/apache/coyote/ajp/AbstractAjpProtocol.java
+++ b/java/org/apache/coyote/ajp/AbstractAjpProtocol.java
@@ -189,15 +189,15 @@ public abstract class AbstractAjpProtocol<S> extends AbstractProtocol<S> {
     }
 
 
-    private Pattern allowedArbitraryRequestAttributesPattern;
-    public void setAllowedArbitraryRequestAttributes(String allowedArbitraryRequestAttributes) {
-        this.allowedArbitraryRequestAttributesPattern = Pattern.compile(allowedArbitraryRequestAttributes);
+    private Pattern allowedRequestAttributesPattern;
+    public void setAllowedRequestAttributesPattern(String allowedRequestAttributesPattern) {
+        this.allowedRequestAttributesPattern = Pattern.compile(allowedRequestAttributesPattern);
     }
-    public String getAllowedArbitraryRequestAttributes() {
-        return allowedArbitraryRequestAttributesPattern.pattern();
+    public String getAllowedRequestAttributesPattern() {
+        return allowedRequestAttributesPattern.pattern();
     }
-    protected Pattern getAllowedArbitraryRequestAttributesPattern() {
-        return allowedArbitraryRequestAttributesPattern;
+    protected Pattern getAllowedRequestAttributesPatternInternal() {
+        return allowedRequestAttributesPattern;
     }
 
 
diff --git a/java/org/apache/coyote/ajp/AjpProcessor.java b/java/org/apache/coyote/ajp/AjpProcessor.java
index 226d210..0d82ea1 100644
--- a/java/org/apache/coyote/ajp/AjpProcessor.java
+++ b/java/org/apache/coyote/ajp/AjpProcessor.java
@@ -753,7 +753,7 @@ public class AjpProcessor extends AbstractProcessor {
                 } else {
                     // All 'known' attributes will be processed by the previous
                     // blocks. Any remaining attribute is an 'arbitrary' one.
-                    Pattern pattern = protocol.getAllowedArbitraryRequestAttributesPattern();
+                    Pattern pattern = protocol.getAllowedRequestAttributesPatternInternal();
                     if (pattern == null) {
                         response.setStatus(403);
                         setErrorState(ErrorState.CLOSE_CLEAN, null);
diff --git a/test/org/apache/coyote/ajp/TestAbstractAjpProcessor.java b/test/org/apache/coyote/ajp/TestAbstractAjpProcessor.java
index 431bd81..21f5e53 100644
--- a/test/org/apache/coyote/ajp/TestAbstractAjpProcessor.java
+++ b/test/org/apache/coyote/ajp/TestAbstractAjpProcessor.java
@@ -50,7 +50,7 @@ public class TestAbstractAjpProcessor extends TomcatBaseTest {
 
         Connector c = getTomcatInstance().getConnector();
         c.setProperty("secretRequired", "false");
-        c.setProperty("allowedArbitraryRequestAttributes", "MYATTRIBUTE.*");
+        c.setProperty("allowedRequestAttributesPattern", "MYATTRIBUTE.*");
     }
 
 
diff --git a/webapps/docs/config/ajp.xml b/webapps/docs/config/ajp.xml
index dbecf7a..801920a 100644
--- a/webapps/docs/config/ajp.xml
+++ b/webapps/docs/config/ajp.xml
@@ -48,7 +48,7 @@
   it allows greater direct manipulation of Tomcat's internal data structures
   than the HTTP connectors. Particular attention should be paid to the values
   used for the <code>address</code>, <code>secret</code>,
-  <code>secretRequired</code> and <code>allowedArbitraryRequestAttributes</code>
+  <code>secretRequired</code> and <code>allowedRequestAttributesPattern</code>
   attributes.</p>
 
   <p>This connector supports load balancing when used in conjunction with
@@ -318,7 +318,7 @@
       port. By default, the loopback address will be used.</p>
     </attribute>
 
-    <attribute name="allowedArbitraryRequestAttributes" required="false">
+    <attribute name="allowedRequestAttributesPattern" required="false">
       <p>The AJP protocol passes some information from the reverse proxy to the
       AJP connector using request attributes. These attributes are:</p>
       <ul>
diff --git a/webapps/docs/security-howto.xml b/webapps/docs/security-howto.xml
index dfc03cc..a42eb17 100644
--- a/webapps/docs/security-howto.xml
+++ b/webapps/docs/security-howto.xml
@@ -255,7 +255,7 @@
       <p>AJP Connectors block forwarded requests with unknown request
       attributes. Known safe and/or expected attributes may be allowed by
       configuration an appropriate regular expression for the
-      <code>allowedArbitraryRequestAttributes</code> attribute.</p>
+      <code>allowedRequestAttributesPattern</code> attribute.</p>
 
       <p>The <strong>address</strong> attribute may be used to control which IP
       address a connector listens on for connections. By default, a connector


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org