You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Jess Holle <je...@ptc.com> on 2008/04/10 18:12:52 UTC
%3B in path-info
We have some servlets that take rather general path-info's. When these
include a /properly escaped /semicolon, invoking getPathInfo() in Tomcat
results in a truncated path info.
Is this a known bug?
For example, one might have the request
http://myhost/mywebapp/servlet/myservlet*/pathcomp1/pathcomp2/foo%3Bbar*?spaz=bot
The expected result of getPathInfo() is
/pathcomp1/pathcomp2/foo%3Bbar
The actual result in Tomcat is:
*/pathcomp1/pathcomp2/foo
*
Note that the %3B is already converted into a ";" character in the
results of getRequestURI()...
This certainly would appear to be a bug in /something/. Or is this a
bug or misconfiguration in mod_proxy_ajp or some such?
--
Jess Holle
Re: %3B in path-info
Posted by Mark Thomas <ma...@apache.org>.
Mark Thomas wrote:
> Jess Holle wrote:
>> Is there any reasonable way I can tell where the issue resides,
>> mod_proxy_ajp or the Tomcat AJP connector.
>
> I'll do a quick test and get back to you.
Looks like a mod_proxy_ajp bug/configuration error.
Using mod_jk (1.2.24-dev but relevant code hasn't changed), http 2.2.4 and
JkOptions +ForwardURICompatUnparsed
I get
Path Info: /test/foo;bar
as expected.
I do a little more digging in the mod_proxy docs and let you know what I find.
Mark
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: %3B in path-info
Posted by Mark Thomas <ma...@apache.org>.
Jess Holle wrote:
> Is there any reasonable way I can tell where the issue resides,
> mod_proxy_ajp or the Tomcat AJP connector.
I'll do a quick test and get back to you.
Mark
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: %3B in path-info
Posted by Jess Holle <je...@ptc.com>.
Is there any reasonable way I can tell where the issue resides,
mod_proxy_ajp or the Tomcat AJP connector.
I'm using Apache 2.2.8 and the Java (non-native, non-NIO) AJP
connector. [The native connector is just too painful to build on half a
dozen platforms...]
Jess Holle wrote:
> You're right -- this works fine in the direct case.
>
> So I need to file a bug against mod_proxy_ajp instead? Or is there
> some chance this is in the AJP connector?
>
> Rainer Jung wrote:
>> So are you saying, that th request goes through httpd/mod_proxy or
>> mod_jk? If so, you should first test with direct request, so that we
>> know, where we have to look for the problem.
>>
>> With mod_jk there were a couple of encoding changes and the latest
>> versions without a forwarding JkOption I think decodes the semicolon
>> before forwarding, because the AJP connector does not decode before
>> looking for the jsessionid.
>>
>> Regards,
>>
>> Rainer
>>
>> ---------------------------------------------------------------------
>> To start a new topic, e-mail: users@tomcat.apache.org
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: %3B in path-info
Posted by Rémy Maucherat <re...@gmail.com>.
On Fri, Apr 11, 2008 at 4:51 AM, Jess Holle <je...@ptc.com> wrote:
> Agreed -- but that draws me back to the need for an option (or default
> behavior!) in mod_proxy_ajp wherein the URL passed to via AJP is not
> decoded.
The thing is that it is news to me that mod_proxy_ajp passes decoded
URLs ;) I am pretty sure I was told when this security problem was
originally found (and the mod_jk default was changed as a result) that
this was not the case.
Rémy
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: %3B in path-info
Posted by Jess Holle <je...@ptc.com>.
Rémy Maucherat wrote:
> On Fri, Apr 11, 2008 at 1:58 AM, Rainer Jung <ra...@kippdata.de> wrote:
>
>> Rémy,
>>
>> I know that we cleaned reencoding of forwarded URLs up in the context of
>> the CVE and mod_jk. The semicolon wasn't involved in the CVE though and at
>> that time it would have been easier, if the AJP connectors had resolved
>> %3Bjsessionid (because then we wouldn't have needed a new JK forward
>> option).
>>
> %3Bjsessionid is not a session id. JK should not be passing a decoded
> URL, and that's pretty much the end of the story.
>
Agreed -- but that draws me back to the need for an option (or default
behavior!) in mod_proxy_ajp wherein the URL passed to via AJP is not
decoded.
--
Jess Holle
Re: %3B in path-info
Posted by Rémy Maucherat <re...@gmail.com>.
On Fri, Apr 11, 2008 at 1:58 AM, Rainer Jung <ra...@kippdata.de> wrote:
> Rémy,
>
> I know that we cleaned reencoding of forwarded URLs up in the context of
> the CVE and mod_jk. The semicolon wasn't involved in the CVE though and at
> that time it would have been easier, if the AJP connectors had resolved
> %3Bjsessionid (because then we wouldn't have needed a new JK forward
> option).
%3Bjsessionid is not a session id. JK should not be passing a decoded
URL, and that's pretty much the end of the story.
Rémy
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: %3B in path-info
Posted by Rainer Jung <ra...@kippdata.de>.
Rémy Maucherat schrieb:
> On Fri, Apr 11, 2008 at 12:19 AM, Jess Holle <je...@ptc.com> wrote:
>> Done. [https://issues.apache.org/bugzilla/show_bug.cgi?id=44803]
>
> Guys, you've been going crazy about a (known) security issue: CVE-2007-1860
> See http://tomcat.apache.org/security-jk.html
>
> Rémy
Rémy,
I know that we cleaned reencoding of forwarded URLs up in the context of
the CVE and mod_jk. The semicolon wasn't involved in the CVE though and
at that time it would have been easier, if the AJP connectors had
resolved %3Bjsessionid (because then we wouldn't have needed a new JK
forward option).
Regards,
Rainer
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: %3B in path-info
Posted by Rémy Maucherat <re...@gmail.com>.
On Fri, Apr 11, 2008 at 12:19 AM, Jess Holle <je...@ptc.com> wrote:
> Done. [https://issues.apache.org/bugzilla/show_bug.cgi?id=44803]
Guys, you've been going crazy about a (known) security issue: CVE-2007-1860
See http://tomcat.apache.org/security-jk.html
Rémy
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: %3B in path-info
Posted by Jess Holle <je...@ptc.com>.
Rainer Jung wrote:
> Hmmm. Unfortunately I couldn't follow the thread earlier.
>
> As far as I know the problem is the following:
>
> A semicolon is used to separate the jsessionid in case you are using
> URL encoded sessions. As far as I remember the AJP connnector does
> *not* recognize %3Bjsessionid. So if you are using URL encoded
> sessions, semicolons need to be decoded before sending to Tomcat, or
> Tomcat needs a patch to recognize %3bjsessionid in the AJP connector.
>
> Of you don't use URL encoded sessions, you can choose the correct
> forward option in mod_jk.
That's great in mod_jk -- and as I noted we're already using an
appropriate forward option where we use mod_jk. [This is for conveying
information in the path info -- not for jsessionid, where we require
cookies.]
> Concerning mod_proxy_ajp: I'm not sure, if it is a bug. Since %3B and
> semicolon should be euivalent, my question is: do you get the correct
> path info if you use Tomcat http connector directly and use semicolon
> instead of %3B?
";" is not the same as %3B as I understand it. A raw ";" is reserved by
the RFC and denotes a separation between path components and other data,
e.g. jsessionid.
An encoded ";", i.e. %3B should be able to be part of the path
components, though.
As Mark Thomas helped me to realize the issue is that mod_proxy_ajp has
no equivalent of the option we'd been relying upon in mod_jk to resolve
this issue. That's a serious gap in mod_proxy_ajp. On the other hand,
there's a lot to be said for Apache 2.2 in general and mod_proxy_ajp in
particular, so we really need this gap closed and can't just revert to
mod_jk.
--
Jess Holle
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: %3B in path-info
Posted by Rainer Jung <ra...@kippdata.de>.
Jess Holle schrieb:
> Mark Thomas wrote:
>> Jess Holle wrote:
>>> Mark Thomas wrote:
>>>> I couldn't see anything either. This looks like a mod_proxy_ajp
>>>> bug/missing feature.
>>> I jumped the gun once by filing this against Tomcat, but it seems
>>> everything is pointing to mod_proxy_ajp. Is it time to file a bug
>>> against it?
>> Looks like it to me.
> Done. [https://issues.apache.org/bugzilla/show_bug.cgi?id=44803]
Hmmm. Unfortunately I couldn't follow the thread earlier.
As far as I know the problem is the following:
A semicolon is used to separate the jsessionid in case you are using URL
encoded sessions. As far as I remember the AJP connnector does *not*
recognize %3Bjsessionid. So if you are using URL encoded sessions,
semicolons need to be decoded before sending to Tomcat, or Tomcat needs
a patch to recognize %3bjsessionid in the AJP connector.
Of you don't use URL encoded sessions, you can choose the correct
forward option in mod_jk.
Concerning mod_proxy_ajp: I'm not sure, if it is a bug. Since %3B and
semicolon should be euivalent, my question is: do you get the correct
path info if you use Tomcat http connector directly and use semicolon
instead of %3B?
Regards,
Rainer
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: %3B in path-info
Posted by Jess Holle <je...@ptc.com>.
Mark Thomas wrote:
> Jess Holle wrote:
>> Mark Thomas wrote:
>>> I couldn't see anything either. This looks like a mod_proxy_ajp
>>> bug/missing feature.
>> I jumped the gun once by filing this against Tomcat, but it seems
>> everything is pointing to mod_proxy_ajp. Is it time to file a bug
>> against it?
> Looks like it to me.
Done. [https://issues.apache.org/bugzilla/show_bug.cgi?id=44803]
Thanks.
--
Jess Holle
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: %3B in path-info
Posted by Mark Thomas <ma...@apache.org>.
Jess Holle wrote:
> Mark Thomas wrote:
>> I couldn't see anything either. This looks like a mod_proxy_ajp
>> bug/missing feature.
> I jumped the gun once by filing this against Tomcat, but it seems
> everything is pointing to mod_proxy_ajp. Is it time to file a bug
> against it?
Looks like it to me.
Mark
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: %3B in path-info
Posted by Jess Holle <je...@ptc.com>.
Jess Holle wrote:
> Mark Thomas wrote:
>> Jess Holle wrote:
>>> Mark Thomas wrote:
>>>> Jess Holle wrote:
>>>>> You're right -- this works fine in the direct case.
>>>>>
>>>>> So I need to file a bug against mod_proxy_ajp instead? Or is
>>>>> there some chance this is in the AJP connector?
>>>> Only if there is a bug - we haven't shown that yet ;)
>>>>
>>>> Could you provide some version numbers please (httpd, mod_jk, etc)
>>>>
>>>> Also, what setting are you using for JkOptions?
>>>> http://tomcat.apache.org/connectors-doc/reference/apache.html
>>>>
>>>> I suspect you want
>>>> JkOptions +ForwardURICompatUnparsed
>>>> but read the docs carefully before making any changes so you
>>>> understand the security implications.
>>> I don't believe mod_proxy_ajp provides any such options -- and I'm
>>> using that and Apache 2.2.x, not 2.0.x and/or mod_jk. At any rate,
>>> I have:
>> I couldn't see anything either. This looks like a mod_proxy_ajp
>> bug/missing feature.
> I jumped the gun once by filing this against Tomcat, but it seems
> everything is pointing to mod_proxy_ajp. Is it time to file a bug
> against it?
P.S. Where we use Apache 2 and mod_jk, we use
JkOptions +ForwardURIEscaped
JkOptions +FlushPackets
The latter is covered in mod_proxy_ajp via "flushpackets=on", but I
don't see any coverage of the former.
--
Jess Holle
Re: %3B in path-info
Posted by Jess Holle <je...@ptc.com>.
Mark Thomas wrote:
> Jess Holle wrote:
>> Mark Thomas wrote:
>>> Jess Holle wrote:
>>>> You're right -- this works fine in the direct case.
>>>>
>>>> So I need to file a bug against mod_proxy_ajp instead? Or is there
>>>> some chance this is in the AJP connector?
>>> Only if there is a bug - we haven't shown that yet ;)
>>>
>>> Could you provide some version numbers please (httpd, mod_jk, etc)
>>>
>>> Also, what setting are you using for JkOptions?
>>> http://tomcat.apache.org/connectors-doc/reference/apache.html
>>>
>>> I suspect you want
>>> JkOptions +ForwardURICompatUnparsed
>>> but read the docs carefully before making any changes so you
>>> understand the security implications.
>> I don't believe mod_proxy_ajp provides any such options -- and I'm
>> using that and Apache 2.2.x, not 2.0.x and/or mod_jk. At any rate, I
>> have:
> I couldn't see anything either. This looks like a mod_proxy_ajp
> bug/missing feature.
I jumped the gun once by filing this against Tomcat, but it seems
everything is pointing to mod_proxy_ajp. Is it time to file a bug
against it?
--
Jess Holle
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: %3B in path-info
Posted by Mark Thomas <ma...@apache.org>.
Jess Holle wrote:
> Mark Thomas wrote:
>> Jess Holle wrote:
>>> You're right -- this works fine in the direct case.
>>>
>>> So I need to file a bug against mod_proxy_ajp instead? Or is there
>>> some chance this is in the AJP connector?
>> Only if there is a bug - we haven't shown that yet ;)
>>
>> Could you provide some version numbers please (httpd, mod_jk, etc)
>>
>> Also, what setting are you using for JkOptions?
>> http://tomcat.apache.org/connectors-doc/reference/apache.html
>>
>> I suspect you want
>> JkOptions +ForwardURICompatUnparsed
>> but read the docs carefully before making any changes so you
>> understand the security implications.
> I don't believe mod_proxy_ajp provides any such options -- and I'm using
> that and Apache 2.2.x, not 2.0.x and/or mod_jk. At any rate, I have:
I couldn't see anything either. This looks like a mod_proxy_ajp bug/missing
feature.
Mark
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: %3B in path-info
Posted by Jess Holle <je...@ptc.com>.
Mark Thomas wrote:
> Jess Holle wrote:
>> You're right -- this works fine in the direct case.
>>
>> So I need to file a bug against mod_proxy_ajp instead? Or is there
>> some chance this is in the AJP connector?
> Only if there is a bug - we haven't shown that yet ;)
>
> Could you provide some version numbers please (httpd, mod_jk, etc)
>
> Also, what setting are you using for JkOptions?
> http://tomcat.apache.org/connectors-doc/reference/apache.html
>
> I suspect you want
> JkOptions +ForwardURICompatUnparsed
> but read the docs carefully before making any changes so you
> understand the security implications.
I don't believe mod_proxy_ajp provides any such options -- and I'm using
that and Apache 2.2.x, not 2.0.x and/or mod_jk. At any rate, I have:
<Proxy balancer://ajpWorker>
BalancerMember ajp://localhost:8010 min=16 max=80 smax=40
ttl=900 keepalive=Off timeout=90000 retry=1 flushpackets=on
</Proxy>
and
<IfModule mod_proxy_ajp.c>
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteRule ^(/MyWebAppName/(.*\.jsp(.*)|servlet/.*|.*\.jar))$
balancer://ajpWorker$1 [P]
</IfModule>
</IfModule>
which maps all JSP, servlet, and .jar requests to Tomcat and lets Apache
handle everything else.
--
Jess Holle
Re: %3B in path-info
Posted by Mark Thomas <ma...@apache.org>.
Jess Holle wrote:
> You're right -- this works fine in the direct case.
>
> So I need to file a bug against mod_proxy_ajp instead? Or is there some
> chance this is in the AJP connector?
Only if there is a bug - we haven't shown that yet ;)
Could you provide some version numbers please (httpd, mod_jk, etc)
Also, what setting are you using for JkOptions?
http://tomcat.apache.org/connectors-doc/reference/apache.html
I suspect you want
JkOptions +ForwardURICompatUnparsed
but read the docs carefully before making any changes so you understand the
security implications.
Mark
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: %3B in path-info
Posted by Jess Holle <je...@ptc.com>.
You're right -- this works fine in the direct case.
So I need to file a bug against mod_proxy_ajp instead? Or is there some
chance this is in the AJP connector?
Rainer Jung wrote:
> So are you saying, that th request goes through httpd/mod_proxy or
> mod_jk? If so, you should first test with direct request, so that we
> know, where we have to look for the problem.
>
> With mod_jk there were a couple of encoding changes and the latest
> versions without a forwarding JkOption I think decodes the semicolon
> before forwarding, because the AJP connector does not decode before
> looking for the jsessionid.
>
> Regards,
>
> Rainer
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: %3B in path-info
Posted by Rainer Jung <ra...@kippdata.de>.
Jess Holle schrieb:
> We have some servlets that take rather general path-info's. When these
> include a /properly escaped /semicolon, invoking getPathInfo() in Tomcat
> results in a truncated path info.
>
> Is this a known bug?
>
> For example, one might have the request
>
>
> http://myhost/mywebapp/servlet/myservlet*/pathcomp1/pathcomp2/foo%3Bbar*?spaz=bot
>
>
> The expected result of getPathInfo() is
>
> /pathcomp1/pathcomp2/foo%3Bbar
>
> The actual result in Tomcat is:
>
> */pathcomp1/pathcomp2/foo
> *
>
> Note that the %3B is already converted into a ";" character in the
> results of getRequestURI()...
>
> This certainly would appear to be a bug in /something/. Or is this a
> bug or misconfiguration in mod_proxy_ajp or some such?
So are you saying, that th request goes through httpd/mod_proxy or
mod_jk? If so, you should first test with direct request, so that we
know, where we have to look for the problem.
With mod_jk there were a couple of encoding changes and the latest
versions without a forwarding JkOption I think decodes the semicolon
before forwarding, because the AJP connector does not decode before
looking for the jsessionid.
Regards,
Rainer
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org