You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2020/02/04 21:11:59 UTC
[tomcat] branch 8.5.x updated: Tweak AJP improvements
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/8.5.x by this push:
new 64159aa Tweak AJP improvements
64159aa is described below
commit 64159aa1d7cdc2c118fcb5eac098e70129d54a19
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Tue Feb 4 21:07:02 2020 +0000
Tweak AJP improvements
Better attribute name for allowedRequestAttributesPattern
Add explicit address attribute to commented out AJP connector
---
conf/server.xml | 5 ++++-
java/org/apache/coyote/ajp/AbstractAjpProtocol.java | 16 ++++++++--------
java/org/apache/coyote/ajp/AjpProcessor.java | 10 +++++-----
test/org/apache/coyote/ajp/TestAbstractAjpProcessor.java | 2 +-
webapps/docs/config/ajp.xml | 4 ++--
webapps/docs/security-howto.xml | 2 +-
6 files changed, 21 insertions(+), 18 deletions(-)
diff --git a/conf/server.xml b/conf/server.xml
index 5d9d57a..bd3ed3e 100644
--- a/conf/server.xml
+++ b/conf/server.xml
@@ -114,7 +114,10 @@
<!-- Define an AJP 1.3 Connector on port 8009 -->
<!--
- <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
+ <Connector protocol="AJP/1.3"
+ address="::1"
+ port="8009"
+ redirectPort="8443" />
-->
<!-- An Engine represents the entry point (within Catalina) that processes
diff --git a/java/org/apache/coyote/ajp/AbstractAjpProtocol.java b/java/org/apache/coyote/ajp/AbstractAjpProtocol.java
index bba4d6a..6790713 100644
--- a/java/org/apache/coyote/ajp/AbstractAjpProtocol.java
+++ b/java/org/apache/coyote/ajp/AbstractAjpProtocol.java
@@ -189,15 +189,15 @@ public abstract class AbstractAjpProtocol<S> extends AbstractProtocol<S> {
}
- private Pattern allowedArbitraryRequestAttributesPattern;
- public void setAllowedArbitraryRequestAttributes(String allowedArbitraryRequestAttributes) {
- this.allowedArbitraryRequestAttributesPattern = Pattern.compile(allowedArbitraryRequestAttributes);
+ private Pattern allowedRequestAttributesPattern;
+ public void setAllowedRequestAttributesPattern(String allowedRequestAttributesPattern) {
+ this.allowedRequestAttributesPattern = Pattern.compile(allowedRequestAttributesPattern);
}
- public String getAllowedArbitraryRequestAttributes() {
- return allowedArbitraryRequestAttributesPattern.pattern();
+ public String getAllowedRequestAttributesPattern() {
+ return allowedRequestAttributesPattern.pattern();
}
- protected Pattern getAllowedArbitraryRequestAttributesPattern() {
- return allowedArbitraryRequestAttributesPattern;
+ protected Pattern getAllowedRequestAttributesPatternInternal() {
+ return allowedRequestAttributesPattern;
}
@@ -253,7 +253,7 @@ public abstract class AbstractAjpProtocol<S> extends AbstractProtocol<S> {
processor.setKeepAliveTimeout(getKeepAliveTimeout());
processor.setClientCertProvider(getClientCertProvider());
processor.setSendReasonPhrase(getSendReasonPhrase());
- processor.setAllowedArbitraryRequestAttributesPattern(getAllowedArbitraryRequestAttributesPattern());
+ processor.setAllowedRequestAttributesPattern(getAllowedRequestAttributesPatternInternal());
return processor;
}
diff --git a/java/org/apache/coyote/ajp/AjpProcessor.java b/java/org/apache/coyote/ajp/AjpProcessor.java
index 06c25b7..0ed3c3e 100644
--- a/java/org/apache/coyote/ajp/AjpProcessor.java
+++ b/java/org/apache/coyote/ajp/AjpProcessor.java
@@ -369,9 +369,9 @@ public class AjpProcessor extends AbstractProcessor {
}
- private Pattern allowedArbitraryRequestAttributesPattern;
- public void setAllowedArbitraryRequestAttributesPattern(Pattern allowedArbitraryRequestAttributesPattern) {
- this.allowedArbitraryRequestAttributesPattern = allowedArbitraryRequestAttributesPattern;
+ private Pattern allowedRequestAttributesPattern;
+ public void setAllowedRequestAttributesPattern(Pattern allowedRequestAttributesPattern) {
+ this.allowedRequestAttributesPattern = allowedRequestAttributesPattern;
}
// --------------------------------------------------------- Public Methods
@@ -844,11 +844,11 @@ public class AjpProcessor extends AbstractProcessor {
} else {
// All 'known' attributes will be processed by the previous
// blocks. Any remaining attribute is an 'arbitrary' one.
- if (allowedArbitraryRequestAttributesPattern == null) {
+ if (allowedRequestAttributesPattern == null) {
response.setStatus(403);
setErrorState(ErrorState.CLOSE_CLEAN, null);
} else {
- Matcher m = allowedArbitraryRequestAttributesPattern.matcher(n);
+ Matcher m = allowedRequestAttributesPattern.matcher(n);
if (m.matches()) {
request.setAttribute(n, v);
} else {
diff --git a/test/org/apache/coyote/ajp/TestAbstractAjpProcessor.java b/test/org/apache/coyote/ajp/TestAbstractAjpProcessor.java
index a93da60..f66e399 100644
--- a/test/org/apache/coyote/ajp/TestAbstractAjpProcessor.java
+++ b/test/org/apache/coyote/ajp/TestAbstractAjpProcessor.java
@@ -50,7 +50,7 @@ public class TestAbstractAjpProcessor extends TomcatBaseTest {
Connector c = getTomcatInstance().getConnector();
c.setProperty("secretRequired", "false");
- c.setProperty("allowedArbitraryRequestAttributes", "MYATTRIBUTE.*");
+ c.setProperty("allowedRequestAttributesPattern", "MYATTRIBUTE.*");
}
diff --git a/webapps/docs/config/ajp.xml b/webapps/docs/config/ajp.xml
index 6189f23..9b3f78e 100644
--- a/webapps/docs/config/ajp.xml
+++ b/webapps/docs/config/ajp.xml
@@ -48,7 +48,7 @@
it allows greater direct manipulation of Tomcat's internal data structures
than the HTTP connectors. Particular attention should be paid to the values
used for the <code>address</code>, <code>secret</code>,
- <code>secretRequired</code> and <code>allowedArbitraryRequestAttributes</code>
+ <code>secretRequired</code> and <code>allowedRequestAttributesPattern</code>
attributes.</p>
<p>This connector supports load balancing when used in conjunction with
@@ -326,7 +326,7 @@
port. By default, the loopback address will be used.</p>
</attribute>
- <attribute name="allowedArbitraryRequestAttributes" required="false">
+ <attribute name="allowedRequestAttributesPattern" required="false">
<p>The AJP protocol passes some information from the reverse proxy to the
AJP connector using request attributes. These attributes are:</p>
<ul>
diff --git a/webapps/docs/security-howto.xml b/webapps/docs/security-howto.xml
index 5961cd0..1c57f71 100644
--- a/webapps/docs/security-howto.xml
+++ b/webapps/docs/security-howto.xml
@@ -255,7 +255,7 @@
<p>AJP Connectors block forwarded requests with unknown request
attributes. Known safe and/or expected attributes may be allowed by
configuration an appropriate regular expression for the
- <code>allowedArbitraryRequestAttributes</code> attribute.</p>
+ <code>allowedRequestAttributesPattern</code> attribute.</p>
<p>The <strong>address</strong> attribute may be used to control which IP
address a connector listens on for connections. By default, a connector
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org