You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Jess Holle <je...@ptc.com> on 2008/04/10 18:12:52 UTC

%3B in path-info

We have some servlets that take rather general path-info's.  When these 
include a /properly escaped /semicolon, invoking getPathInfo() in Tomcat 
results in a truncated path info.

Is this a known bug?

For example, one might have the request

    http://myhost/mywebapp/servlet/myservlet*/pathcomp1/pathcomp2/foo%3Bbar*?spaz=bot

The expected result of getPathInfo() is

    /pathcomp1/pathcomp2/foo%3Bbar

The actual result in Tomcat is:

    */pathcomp1/pathcomp2/foo
    *

Note that the %3B is already converted into a ";" character in the 
results of getRequestURI()...

This certainly would appear to be a bug in /something/.  Or is this a 
bug or misconfiguration in mod_proxy_ajp or some such?

--
Jess Holle

Re: %3B in path-info

Posted by Mark Thomas <ma...@apache.org>.

Mark Thomas wrote:
> Jess Holle wrote:
>> Is there any reasonable way I can tell where the issue resides, 
>> mod_proxy_ajp or the Tomcat AJP connector.
> 
> I'll do a quick test and get back to you.

Looks like a mod_proxy_ajp bug/configuration error.

Using mod_jk (1.2.24-dev but relevant code hasn't changed), http 2.2.4 and
JkOptions     +ForwardURICompatUnparsed

I get
Path Info: 	/test/foo;bar
as expected.

I do a little more digging in the mod_proxy docs and let you know what I find.

Mark


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: %3B in path-info

Posted by Mark Thomas <ma...@apache.org>.

Jess Holle wrote:
> Is there any reasonable way I can tell where the issue resides, 
> mod_proxy_ajp or the Tomcat AJP connector.

I'll do a quick test and get back to you.

Mark

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: %3B in path-info

Posted by Jess Holle <je...@ptc.com>.

Is there any reasonable way I can tell where the issue resides, 
mod_proxy_ajp or the Tomcat AJP connector.

I'm using Apache 2.2.8 and the Java (non-native, non-NIO) AJP 
connector.  [The native connector is just too painful to build on half a 
dozen platforms...]

Jess Holle wrote:
> You're right -- this works fine in the direct case.
>
> So I need to file a bug against mod_proxy_ajp instead?  Or is there 
> some chance this is in the AJP connector?
>
> Rainer Jung wrote:
>> So are you saying, that th request goes through httpd/mod_proxy or 
>> mod_jk? If so, you should first test with direct request, so that we 
>> know, where we have to look for the problem.
>>
>> With mod_jk there were a couple of encoding changes and the latest 
>> versions without a forwarding JkOption I think decodes the semicolon 
>> before forwarding, because the AJP connector does not decode before 
>> looking for the jsessionid.
>>
>> Regards,
>>
>> Rainer
>>
>> ---------------------------------------------------------------------
>> To start a new topic, e-mail: users@tomcat.apache.org
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: %3B in path-info

Posted by Rémy Maucherat <re...@gmail.com>.

On Fri, Apr 11, 2008 at 4:51 AM, Jess Holle <je...@ptc.com> wrote:
>  Agreed -- but that draws me back to the need for an option (or default
> behavior!) in mod_proxy_ajp wherein the URL passed to via AJP is not
> decoded.

The thing is that it is news to me that mod_proxy_ajp passes decoded
URLs ;) I am pretty sure I was told when this security problem was
originally found (and the mod_jk default was changed as a result) that
this was not the case.

Rémy

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: %3B in path-info

Posted by Jess Holle <je...@ptc.com>.

Rémy Maucherat wrote:
> On Fri, Apr 11, 2008 at 1:58 AM, Rainer Jung <ra...@kippdata.de> wrote:
>   
>>  Rémy,
>>
>>  I know that we cleaned reencoding of forwarded URLs up in the context of
>> the CVE and mod_jk. The semicolon wasn't involved in the CVE though and at
>> that time it would have been easier, if the AJP connectors had resolved
>> %3Bjsessionid (because then we wouldn't have needed a new JK forward
>> option).
>>     
> %3Bjsessionid is not a session id. JK should not be passing a decoded
> URL, and that's pretty much the end of the story.
>   
Agreed -- but that draws me back to the need for an option (or default 
behavior!) in mod_proxy_ajp wherein the URL passed to via AJP is not 
decoded.

--
Jess Holle

Re: %3B in path-info

Posted by Rémy Maucherat <re...@gmail.com>.

On Fri, Apr 11, 2008 at 1:58 AM, Rainer Jung <ra...@kippdata.de> wrote:
>  Rémy,
>
>  I know that we cleaned reencoding of forwarded URLs up in the context of
> the CVE and mod_jk. The semicolon wasn't involved in the CVE though and at
> that time it would have been easier, if the AJP connectors had resolved
> %3Bjsessionid (because then we wouldn't have needed a new JK forward
> option).

%3Bjsessionid is not a session id. JK should not be passing a decoded
URL, and that's pretty much the end of the story.

Rémy

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: %3B in path-info

Posted by Rainer Jung <ra...@kippdata.de>.

Rémy Maucherat schrieb:
> On Fri, Apr 11, 2008 at 12:19 AM, Jess Holle <je...@ptc.com> wrote:
>>  Done. [https://issues.apache.org/bugzilla/show_bug.cgi?id=44803]
> 
> Guys, you've been going crazy about a (known) security issue: CVE-2007-1860
> See http://tomcat.apache.org/security-jk.html
> 
> Rémy

Rémy,

I know that we cleaned reencoding of forwarded URLs up in the context of 
the CVE and mod_jk. The semicolon wasn't involved in the CVE though and 
at that time it would have been easier, if the AJP connectors had 
resolved %3Bjsessionid (because then we wouldn't have needed a new JK 
forward option).

Regards,

Rainer

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: %3B in path-info

Posted by Rémy Maucherat <re...@gmail.com>.

On Fri, Apr 11, 2008 at 12:19 AM, Jess Holle <je...@ptc.com> wrote:
>  Done. [https://issues.apache.org/bugzilla/show_bug.cgi?id=44803]

Guys, you've been going crazy about a (known) security issue: CVE-2007-1860
See http://tomcat.apache.org/security-jk.html

Rémy

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: %3B in path-info

Posted by Jess Holle <je...@ptc.com>.

Rainer Jung wrote:
> Hmmm. Unfortunately I couldn't follow the thread earlier.
>
> As far as I know the problem is the following:
>
> A semicolon is used to separate the jsessionid in case you are using 
> URL encoded sessions. As far as I remember the AJP connnector does 
> *not* recognize %3Bjsessionid. So if you are using URL encoded 
> sessions, semicolons need to be decoded before sending to Tomcat, or 
> Tomcat needs a patch to recognize %3bjsessionid in the AJP connector.
>
> Of you don't use URL encoded sessions, you can choose the correct 
> forward option in mod_jk.
That's great in mod_jk -- and as I noted we're already using an 
appropriate forward option where we use mod_jk.  [This is for conveying 
information in the path info -- not for jsessionid, where we require 
cookies.]
> Concerning mod_proxy_ajp: I'm not sure, if it is a bug. Since %3B and 
> semicolon should be euivalent, my question is: do you get the correct 
> path info if you use Tomcat http connector directly and use semicolon 
> instead of %3B?
";" is not the same as %3B as I understand it.  A raw ";" is reserved by 
the RFC and denotes a separation between path components and other data, 
e.g. jsessionid.

An encoded ";", i.e. %3B should be able to be part of the path 
components, though.

As Mark Thomas helped me to realize the issue is that mod_proxy_ajp has 
no equivalent of the option we'd been relying upon in mod_jk to resolve 
this issue.  That's a serious gap in mod_proxy_ajp.  On the other hand, 
there's a lot to be said for Apache 2.2 in general and mod_proxy_ajp in 
particular, so we really need this gap closed and can't just revert to 
mod_jk.

--
Jess Holle


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: %3B in path-info

Posted by Rainer Jung <ra...@kippdata.de>.

Jess Holle schrieb:
> Mark Thomas wrote:
>> Jess Holle wrote:
>>> Mark Thomas wrote:
>>>> I couldn't see anything either. This looks like a mod_proxy_ajp 
>>>> bug/missing feature.
>>> I jumped the gun once by filing this against Tomcat, but it seems 
>>> everything is pointing to mod_proxy_ajp.  Is it time to file a bug 
>>> against it?
>> Looks like it to me.
> Done. [https://issues.apache.org/bugzilla/show_bug.cgi?id=44803]

Hmmm. Unfortunately I couldn't follow the thread earlier.

As far as I know the problem is the following:

A semicolon is used to separate the jsessionid in case you are using URL 
encoded sessions. As far as I remember the AJP connnector does *not* 
recognize %3Bjsessionid. So if you are using URL encoded sessions, 
semicolons need to be decoded before sending to Tomcat, or Tomcat needs 
a patch to recognize %3bjsessionid in the AJP connector.

Of you don't use URL encoded sessions, you can choose the correct 
forward option in mod_jk.

Concerning mod_proxy_ajp: I'm not sure, if it is a bug. Since %3B and 
semicolon should be euivalent, my question is: do you get the correct 
path info if you use Tomcat http connector directly and use semicolon 
instead of %3B?

Regards,

Rainer

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: %3B in path-info

Posted by Jess Holle <je...@ptc.com>.

Mark Thomas wrote:
> Jess Holle wrote:
>> Mark Thomas wrote:
>>> I couldn't see anything either. This looks like a mod_proxy_ajp 
>>> bug/missing feature.
>> I jumped the gun once by filing this against Tomcat, but it seems 
>> everything is pointing to mod_proxy_ajp.  Is it time to file a bug 
>> against it?
> Looks like it to me.
Done. [https://issues.apache.org/bugzilla/show_bug.cgi?id=44803]

Thanks.

--
Jess Holle


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: %3B in path-info

Posted by Mark Thomas <ma...@apache.org>.

Jess Holle wrote:
> Mark Thomas wrote:
>> I couldn't see anything either. This looks like a mod_proxy_ajp 
>> bug/missing feature.
> I jumped the gun once by filing this against Tomcat, but it seems 
> everything is pointing to mod_proxy_ajp.  Is it time to file a bug 
> against it?

Looks like it to me.

Mark


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: %3B in path-info

Posted by Jess Holle <je...@ptc.com>.

Jess Holle wrote:
> Mark Thomas wrote:
>> Jess Holle wrote:
>>> Mark Thomas wrote:
>>>> Jess Holle wrote:
>>>>> You're right -- this works fine in the direct case.
>>>>>
>>>>> So I need to file a bug against mod_proxy_ajp instead?  Or is 
>>>>> there some chance this is in the AJP connector?
>>>> Only if there is a bug - we haven't shown that yet ;)
>>>>
>>>> Could you provide some version numbers please (httpd, mod_jk, etc)
>>>>
>>>> Also, what setting are you using for JkOptions?
>>>> http://tomcat.apache.org/connectors-doc/reference/apache.html
>>>>
>>>> I suspect you want
>>>> JkOptions     +ForwardURICompatUnparsed
>>>> but read the docs carefully before making any changes so you 
>>>> understand the security implications.
>>> I don't believe mod_proxy_ajp provides any such options -- and I'm 
>>> using that and Apache 2.2.x, not 2.0.x and/or mod_jk.  At any rate, 
>>> I have:
>> I couldn't see anything either. This looks like a mod_proxy_ajp 
>> bug/missing feature.
> I jumped the gun once by filing this against Tomcat, but it seems 
> everything is pointing to mod_proxy_ajp.  Is it time to file a bug 
> against it?
P.S. Where we use Apache 2 and mod_jk, we use

      JkOptions +ForwardURIEscaped
      JkOptions +FlushPackets

The latter is covered in mod_proxy_ajp via "flushpackets=on", but I 
don't see any coverage of the former.

--
Jess Holle

Re: %3B in path-info

Posted by Jess Holle <je...@ptc.com>.

Mark Thomas wrote:
> Jess Holle wrote:
>> Mark Thomas wrote:
>>> Jess Holle wrote:
>>>> You're right -- this works fine in the direct case.
>>>>
>>>> So I need to file a bug against mod_proxy_ajp instead?  Or is there 
>>>> some chance this is in the AJP connector?
>>> Only if there is a bug - we haven't shown that yet ;)
>>>
>>> Could you provide some version numbers please (httpd, mod_jk, etc)
>>>
>>> Also, what setting are you using for JkOptions?
>>> http://tomcat.apache.org/connectors-doc/reference/apache.html
>>>
>>> I suspect you want
>>> JkOptions     +ForwardURICompatUnparsed
>>> but read the docs carefully before making any changes so you 
>>> understand the security implications.
>> I don't believe mod_proxy_ajp provides any such options -- and I'm 
>> using that and Apache 2.2.x, not 2.0.x and/or mod_jk.  At any rate, I 
>> have:
> I couldn't see anything either. This looks like a mod_proxy_ajp 
> bug/missing feature.
I jumped the gun once by filing this against Tomcat, but it seems 
everything is pointing to mod_proxy_ajp.  Is it time to file a bug 
against it?

--
Jess Holle


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: %3B in path-info

Posted by Mark Thomas <ma...@apache.org>.

Jess Holle wrote:
> Mark Thomas wrote:
>> Jess Holle wrote:
>>> You're right -- this works fine in the direct case.
>>>
>>> So I need to file a bug against mod_proxy_ajp instead?  Or is there 
>>> some chance this is in the AJP connector?
>> Only if there is a bug - we haven't shown that yet ;)
>>
>> Could you provide some version numbers please (httpd, mod_jk, etc)
>>
>> Also, what setting are you using for JkOptions?
>> http://tomcat.apache.org/connectors-doc/reference/apache.html
>>
>> I suspect you want
>> JkOptions     +ForwardURICompatUnparsed
>> but read the docs carefully before making any changes so you 
>> understand the security implications.
> I don't believe mod_proxy_ajp provides any such options -- and I'm using 
> that and Apache 2.2.x, not 2.0.x and/or mod_jk.  At any rate, I have:

I couldn't see anything either. This looks like a mod_proxy_ajp bug/missing 
feature.

Mark

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: %3B in path-info

Posted by Jess Holle <je...@ptc.com>.

Mark Thomas wrote:
> Jess Holle wrote:
>> You're right -- this works fine in the direct case.
>>
>> So I need to file a bug against mod_proxy_ajp instead?  Or is there 
>> some chance this is in the AJP connector?
> Only if there is a bug - we haven't shown that yet ;)
>
> Could you provide some version numbers please (httpd, mod_jk, etc)
>
> Also, what setting are you using for JkOptions?
> http://tomcat.apache.org/connectors-doc/reference/apache.html
>
> I suspect you want
> JkOptions     +ForwardURICompatUnparsed
> but read the docs carefully before making any changes so you 
> understand the security implications.
I don't believe mod_proxy_ajp provides any such options -- and I'm using 
that and Apache 2.2.x, not 2.0.x and/or mod_jk.  At any rate, I have:

    <Proxy balancer://ajpWorker>
        BalancerMember ajp://localhost:8010 min=16 max=80 smax=40
    ttl=900 keepalive=Off timeout=90000 retry=1 flushpackets=on
    </Proxy>

and

    <IfModule mod_proxy_ajp.c>
    <IfModule mod_rewrite.c>
      RewriteEngine on
      RewriteRule ^(/MyWebAppName/(.*\.jsp(.*)|servlet/.*|.*\.jar))$
    balancer://ajpWorker$1 [P]
    </IfModule>
    </IfModule>

which maps all JSP, servlet, and .jar requests to Tomcat and lets Apache 
handle everything else.

--
Jess Holle

Re: %3B in path-info

Posted by Mark Thomas <ma...@apache.org>.

Jess Holle wrote:
> You're right -- this works fine in the direct case.
> 
> So I need to file a bug against mod_proxy_ajp instead?  Or is there some 
> chance this is in the AJP connector?

Only if there is a bug - we haven't shown that yet ;)

Could you provide some version numbers please (httpd, mod_jk, etc)

Also, what setting are you using for JkOptions?
http://tomcat.apache.org/connectors-doc/reference/apache.html

I suspect you want
JkOptions     +ForwardURICompatUnparsed
but read the docs carefully before making any changes so you understand the 
security implications.

Mark

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: %3B in path-info

Posted by Jess Holle <je...@ptc.com>.

You're right -- this works fine in the direct case.

So I need to file a bug against mod_proxy_ajp instead?  Or is there some 
chance this is in the AJP connector?

Rainer Jung wrote:
> So are you saying, that th request goes through httpd/mod_proxy or 
> mod_jk? If so, you should first test with direct request, so that we 
> know, where we have to look for the problem.
>
> With mod_jk there were a couple of encoding changes and the latest 
> versions without a forwarding JkOption I think decodes the semicolon 
> before forwarding, because the AJP connector does not decode before 
> looking for the jsessionid.
>
> Regards,
>
> Rainer
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: %3B in path-info

Posted by Rainer Jung <ra...@kippdata.de>.

Jess Holle schrieb:
> We have some servlets that take rather general path-info's.  When these 
> include a /properly escaped /semicolon, invoking getPathInfo() in Tomcat 
> results in a truncated path info.
> 
> Is this a known bug?
> 
> For example, one might have the request
> 
>    
> http://myhost/mywebapp/servlet/myservlet*/pathcomp1/pathcomp2/foo%3Bbar*?spaz=bot 
> 
> 
> The expected result of getPathInfo() is
> 
>    /pathcomp1/pathcomp2/foo%3Bbar
> 
> The actual result in Tomcat is:
> 
>    */pathcomp1/pathcomp2/foo
>    *
> 
> Note that the %3B is already converted into a ";" character in the 
> results of getRequestURI()...
> 
> This certainly would appear to be a bug in /something/.  Or is this a 
> bug or misconfiguration in mod_proxy_ajp or some such?

So are you saying, that th request goes through httpd/mod_proxy or 
mod_jk? If so, you should first test with direct request, so that we 
know, where we have to look for the problem.

With mod_jk there were a couple of encoding changes and the latest 
versions without a forwarding JkOption I think decodes the semicolon 
before forwarding, because the AJP connector does not decode before 
looking for the jsessionid.

Regards,

Rainer

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org