You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2020/06/02 10:24:15 UTC
[tomcat] branch master updated: Fix BZ 64483 Log a warning when an
AJP request is rejected
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/master by this push:
new 186aae3 Fix BZ 64483 Log a warning when an AJP request is rejected
186aae3 is described below
commit 186aae31791ea120cf1b4ddd2f9fcb974bd1d5f9
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Tue Jun 2 11:22:35 2020 +0100
Fix BZ 64483 Log a warning when an AJP request is rejected
---
java/org/apache/coyote/ajp/AjpProcessor.java | 14 ++++----------
java/org/apache/coyote/ajp/LocalStrings.properties | 1 +
webapps/docs/changelog.xml | 4 ++++
3 files changed, 9 insertions(+), 10 deletions(-)
diff --git a/java/org/apache/coyote/ajp/AjpProcessor.java b/java/org/apache/coyote/ajp/AjpProcessor.java
index d24a818..77d6a94 100644
--- a/java/org/apache/coyote/ajp/AjpProcessor.java
+++ b/java/org/apache/coyote/ajp/AjpProcessor.java
@@ -30,7 +30,6 @@ import java.util.HashMap;
import java.util.HashSet;
import java.util.Map;
import java.util.Set;
-import java.util.regex.Matcher;
import java.util.regex.Pattern;
import jakarta.servlet.http.HttpServletResponse;
@@ -779,17 +778,12 @@ public class AjpProcessor extends AbstractProcessor {
// All 'known' attributes will be processed by the previous
// blocks. Any remaining attribute is an 'arbitrary' one.
Pattern pattern = protocol.getAllowedRequestAttributesPatternInternal();
- if (pattern == null) {
+ if (pattern != null && pattern.matcher(n).matches()) {
+ request.setAttribute(n, v);
+ } else {
+ log.warn(sm.getString("ajpprocessor.unknownAttribute", n));
response.setStatus(403);
setErrorState(ErrorState.CLOSE_CLEAN, null);
- } else {
- Matcher m = pattern.matcher(n);
- if (m.matches()) {
- request.setAttribute(n, v);
- } else {
- response.setStatus(403);
- setErrorState(ErrorState.CLOSE_CLEAN, null);
- }
}
}
break;
diff --git a/java/org/apache/coyote/ajp/LocalStrings.properties b/java/org/apache/coyote/ajp/LocalStrings.properties
index ab377eb..467035d 100644
--- a/java/org/apache/coyote/ajp/LocalStrings.properties
+++ b/java/org/apache/coyote/ajp/LocalStrings.properties
@@ -26,6 +26,7 @@ ajpprocessor.header.tooLong=Header message of length [{0}] received but the pack
ajpprocessor.readtimeout=Timeout attempting to read data from the socket
ajpprocessor.request.prepare=Error preparing request
ajpprocessor.request.process=Error processing request
+ajpprocessor.unknownAttribute=Rejecting request due to unknown request attribute [{0}] received from reverse proxy
ajpprotocol.noSSL=SSL is not supported with AJP. The SSL host configuration for [{0}] was ignored
ajpprotocol.noSecret=The AJP Connector is configured with secretRequired="true" but the secret attribute is either null or "". This combination is not valid.
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 056cf3b..fe75def 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -87,6 +87,10 @@
Expose server certificate through the <code>SSLSupport</code>
interface. (remm)
</update>
+ <add>
+ <bug>64483</bug>: Log a warning if an AJP request is rejected because it
+ contains an unexpected request attribute. (markt)
+ </add>
<fix>
<bug>64485</bug>: Fix possible resource leak geting last modified from
<code>ConfigurationSource.Resource</code>. (remm)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [tomcat] branch master updated: Fix BZ 64483 Log a warning when
an AJP request is rejected
Posted by Mark Thomas <ma...@apache.org>.
On 02/06/2020 16:57, Christopher Schultz wrote:
> Mark,
>
> On 6/2/20 11:44, Mark Thomas wrote:
>> On 02/06/2020 16:37, Christopher Schultz wrote:
>>> Mark,
>>>
>>> On 6/2/20 06:24, markt@apache.org wrote:
>>>> This is an automated email from the ASF dual-hosted git
>>>> repository.
>>>
>>>> markt pushed a commit to branch master in repository
>>>> https://gitbox.apache.org/repos/asf/tomcat.git
>>>
>>>
>>>> The following commit(s) were added to refs/heads/master by
>>>> this push: new 186aae3 Fix BZ 64483 Log a warning when an AJP
>>>> request is rejected 186aae3 is described below
>>>
>>>> commit 186aae31791ea120cf1b4ddd2f9fcb974bd1d5f9 Author: Mark
>>>> Thomas <ma...@apache.org> AuthorDate: Tue Jun 2 11:22:35 2020
>>>> +0100
>>>
>>>> Fix BZ 64483 Log a warning when an AJP request is rejected ---
>>>> java/org/apache/coyote/ajp/AjpProcessor.java | 14
>>>> ++++----------
>>>> java/org/apache/coyote/ajp/LocalStrings.properties | 1 +
>>>> webapps/docs/changelog.xml | 4 ++++ 3
>>>> files changed, 9 insertions(+), 10 deletions(-)
>>>
>>>> diff --git a/java/org/apache/coyote/ajp/AjpProcessor.java
>>>> b/java/org/apache/coyote/ajp/AjpProcessor.java index
>>>> d24a818..77d6a94 100644 ---
>>>> a/java/org/apache/coyote/ajp/AjpProcessor.java +++
>>>> b/java/org/apache/coyote/ajp/AjpProcessor.java @@ -30,7 +30,6
>>>> @@ import java.util.HashMap; import java.util.HashSet; import
>>>> java.util.Map; import java.util.Set; -import
>>>> java.util.regex.Matcher; import java.util.regex.Pattern;
>>>
>>>> import jakarta.servlet.http.HttpServletResponse; @@ -779,17
>>>> +778,12 @@ public class AjpProcessor extends AbstractProcessor
>>>> { // All 'known' attributes will be processed by the previous
>>>> // blocks. Any remaining attribute is an 'arbitrary' one.
>>>> Pattern pattern =
>>>> protocol.getAllowedRequestAttributesPatternInternal(); - if
>>>> (pattern == null) { + if (pattern != null
>>>> && pattern.matcher(n).matches()) { + request.setAttribute(n,
>>>> v); + } else { +
>>>> log.warn(sm.getString("ajpprocessor.unknownAttribute", n));
>>>> response.setStatus(403); setErrorState(ErrorState.CLOSE_CLEAN,
>>>> null);
>>>
>>> Possible DOS by spamming the log file?
>>>
>>> I suppose you can DOS by filling the access log, too :/
>
>> How? This is AJP.
>
> Exposed endpoint. *shrug*
>
> I understand that this was added to make debugging of
> secured-endpoints easier (so the owner can whitelist whatever they
> seem to have forgotten) but anyone spamming the AJP port can cause a
> lot of output.
Ah. I thought the secret was checked earlier than it is.
> This would be similar to sending malformed HTTP requests, which we
> currently log a single time and then subsequent errors are logged "at
> debug level" so you can at least disable them for production.
I'm still in favour of leaving this as it is for multiple reasons:
- If users have exposed an AJP port to the public internet and are
getting spammed / attacked they need to know.
- A misconfigured "private" Connector is far more likely than a
correctly secured "public" one
- In terms of load it should be no worse than the access log (which
is only noticeable when you load test on local host with a trivial
servlet). There is no exception generated here which is the more
usual source of load in these scenarios.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [tomcat] branch master updated: Fix BZ 64483 Log a warning when
an AJP request is rejected
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Mark,
On 6/2/20 11:44, Mark Thomas wrote:
> On 02/06/2020 16:37, Christopher Schultz wrote:
>> Mark,
>>
>> On 6/2/20 06:24, markt@apache.org wrote:
>>> This is an automated email from the ASF dual-hosted git
>>> repository.
>>
>>> markt pushed a commit to branch master in repository
>>> https://gitbox.apache.org/repos/asf/tomcat.git
>>
>>
>>> The following commit(s) were added to refs/heads/master by
>>> this push: new 186aae3 Fix BZ 64483 Log a warning when an AJP
>>> request is rejected 186aae3 is described below
>>
>>> commit 186aae31791ea120cf1b4ddd2f9fcb974bd1d5f9 Author: Mark
>>> Thomas <ma...@apache.org> AuthorDate: Tue Jun 2 11:22:35 2020
>>> +0100
>>
>>> Fix BZ 64483 Log a warning when an AJP request is rejected ---
>>> java/org/apache/coyote/ajp/AjpProcessor.java | 14
>>> ++++----------
>>> java/org/apache/coyote/ajp/LocalStrings.properties | 1 +
>>> webapps/docs/changelog.xml | 4 ++++ 3
>>> files changed, 9 insertions(+), 10 deletions(-)
>>
>>> diff --git a/java/org/apache/coyote/ajp/AjpProcessor.java
>>> b/java/org/apache/coyote/ajp/AjpProcessor.java index
>>> d24a818..77d6a94 100644 ---
>>> a/java/org/apache/coyote/ajp/AjpProcessor.java +++
>>> b/java/org/apache/coyote/ajp/AjpProcessor.java @@ -30,7 +30,6
>>> @@ import java.util.HashMap; import java.util.HashSet; import
>>> java.util.Map; import java.util.Set; -import
>>> java.util.regex.Matcher; import java.util.regex.Pattern;
>>
>>> import jakarta.servlet.http.HttpServletResponse; @@ -779,17
>>> +778,12 @@ public class AjpProcessor extends AbstractProcessor
>>> { // All 'known' attributes will be processed by the previous
>>> // blocks. Any remaining attribute is an 'arbitrary' one.
>>> Pattern pattern =
>>> protocol.getAllowedRequestAttributesPatternInternal(); - if
>>> (pattern == null) { + if (pattern != null
>>> && pattern.matcher(n).matches()) { + request.setAttribute(n,
>>> v); + } else { +
>>> log.warn(sm.getString("ajpprocessor.unknownAttribute", n));
>>> response.setStatus(403); setErrorState(ErrorState.CLOSE_CLEAN,
>>> null);
>>
>> Possible DOS by spamming the log file?
>>
>> I suppose you can DOS by filling the access log, too :/
>
> How? This is AJP.
Exposed endpoint. *shrug*
I understand that this was added to make debugging of
secured-endpoints easier (so the owner can whitelist whatever they
seem to have forgotten) but anyone spamming the AJP port can cause a
lot of output.
This would be similar to sending malformed HTTP requests, which we
currently log a single time and then subsequent errors are logged "at
debug level" so you can at least disable them for production.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl7WdvgACgkQHPApP6U8
pFhbtxAAlbaqmiPAMduW/gJrHIbL/FWvO7CgxSeUCbVMTo5mJmEZfJseiu/8jIMJ
8oejSRodPGeQhy8bdhelI3btQ69j5FYoXhN1Xn5A1vfEHP2EgsZj1hMp8FklYSo6
XJBqG+mpbASOvQS8iDhwX3S6mNrhOLZYhDO6otQ1mTz3MIbquK8fvMNxvltmmti6
gXyag9WwBY/Ln1M3vn7VcYAbY5NrhnR8QQn8BJq2FVWxxXeuhJV8CJeV860/0kkl
MufKzLKt7xEyWp4Bd+iH0qOpWdib57vjXSzPc6DQw7LU0npOO68kcRc1H8RIqqjY
GuL8m1LX4OuBJZ0S7JkOH3EpPwQrM9QkUHkKyR3XYFKOHiAJx1YHWSAJczFG8CWH
Iu+E9Rc1bcLSe+9UbvTkNEj/nie2JiDNa+DV+xL56tnkHlAMn1uULwAUE9aff827
amiLosBInW0QvzqwPV0CA/WbIkdNxAOjI2mqYETxuBeFKHdGVdCtY/bDfhrLenT3
GYA88fNiWaRGkJHWRFaBrTpFlV5h/zgBygEPwazL/dXVXk46IR7viOfRugGipbE+
YiyJMVFR/TbkNN2CIm9zymHBhOwSe3cgUTasSNn5jucU2kWrp2qiVE+6jtlMpWtt
zIyt8y8IxxOyNXgo7kaVMboixYrgH5aZYlgGcde6IMCNn1Q898M=
=iDD7
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [tomcat] branch master updated: Fix BZ 64483 Log a warning when
an AJP request is rejected
Posted by Mark Thomas <ma...@apache.org>.
On 02/06/2020 16:37, Christopher Schultz wrote:
> Mark,
>
> On 6/2/20 06:24, markt@apache.org wrote:
>> This is an automated email from the ASF dual-hosted git
>> repository.
>
>> markt pushed a commit to branch master in repository
>> https://gitbox.apache.org/repos/asf/tomcat.git
>
>
>> The following commit(s) were added to refs/heads/master by this
>> push: new 186aae3 Fix BZ 64483 Log a warning when an AJP request
>> is rejected 186aae3 is described below
>
>> commit 186aae31791ea120cf1b4ddd2f9fcb974bd1d5f9 Author: Mark Thomas
>> <ma...@apache.org> AuthorDate: Tue Jun 2 11:22:35 2020 +0100
>
>> Fix BZ 64483 Log a warning when an AJP request is rejected ---
>> java/org/apache/coyote/ajp/AjpProcessor.java | 14
>> ++++---------- java/org/apache/coyote/ajp/LocalStrings.properties |
>> 1 + webapps/docs/changelog.xml | 4 ++++ 3
>> files changed, 9 insertions(+), 10 deletions(-)
>
>> diff --git a/java/org/apache/coyote/ajp/AjpProcessor.java
>> b/java/org/apache/coyote/ajp/AjpProcessor.java index
>> d24a818..77d6a94 100644 ---
>> a/java/org/apache/coyote/ajp/AjpProcessor.java +++
>> b/java/org/apache/coyote/ajp/AjpProcessor.java @@ -30,7 +30,6 @@
>> import java.util.HashMap; import java.util.HashSet; import
>> java.util.Map; import java.util.Set; -import
>> java.util.regex.Matcher; import java.util.regex.Pattern;
>
>> import jakarta.servlet.http.HttpServletResponse; @@ -779,17 +778,12
>> @@ public class AjpProcessor extends AbstractProcessor { // All
>> 'known' attributes will be processed by the previous // blocks. Any
>> remaining attribute is an 'arbitrary' one. Pattern pattern =
>> protocol.getAllowedRequestAttributesPatternInternal(); -
>> if (pattern == null) { + if (pattern != null &&
>> pattern.matcher(n).matches()) { +
>> request.setAttribute(n, v); + } else { +
>> log.warn(sm.getString("ajpprocessor.unknownAttribute", n));
>> response.setStatus(403); setErrorState(ErrorState.CLOSE_CLEAN,
>> null);
>
> Possible DOS by spamming the log file?
>
> I suppose you can DOS by filling the access log, too :/
How? This is AJP.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [tomcat] branch master updated: Fix BZ 64483 Log a warning when
an AJP request is rejected
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Mark,
On 6/2/20 06:24, markt@apache.org wrote:
> This is an automated email from the ASF dual-hosted git
> repository.
>
> markt pushed a commit to branch master in repository
> https://gitbox.apache.org/repos/asf/tomcat.git
>
>
> The following commit(s) were added to refs/heads/master by this
> push: new 186aae3 Fix BZ 64483 Log a warning when an AJP request
> is rejected 186aae3 is described below
>
> commit 186aae31791ea120cf1b4ddd2f9fcb974bd1d5f9 Author: Mark Thomas
> <ma...@apache.org> AuthorDate: Tue Jun 2 11:22:35 2020 +0100
>
> Fix BZ 64483 Log a warning when an AJP request is rejected ---
> java/org/apache/coyote/ajp/AjpProcessor.java | 14
> ++++---------- java/org/apache/coyote/ajp/LocalStrings.properties |
> 1 + webapps/docs/changelog.xml | 4 ++++ 3
> files changed, 9 insertions(+), 10 deletions(-)
>
> diff --git a/java/org/apache/coyote/ajp/AjpProcessor.java
> b/java/org/apache/coyote/ajp/AjpProcessor.java index
> d24a818..77d6a94 100644 ---
> a/java/org/apache/coyote/ajp/AjpProcessor.java +++
> b/java/org/apache/coyote/ajp/AjpProcessor.java @@ -30,7 +30,6 @@
> import java.util.HashMap; import java.util.HashSet; import
> java.util.Map; import java.util.Set; -import
> java.util.regex.Matcher; import java.util.regex.Pattern;
>
> import jakarta.servlet.http.HttpServletResponse; @@ -779,17 +778,12
> @@ public class AjpProcessor extends AbstractProcessor { // All
> 'known' attributes will be processed by the previous // blocks. Any
> remaining attribute is an 'arbitrary' one. Pattern pattern =
> protocol.getAllowedRequestAttributesPatternInternal(); -
> if (pattern == null) { + if (pattern != null &&
> pattern.matcher(n).matches()) { +
> request.setAttribute(n, v); + } else { +
> log.warn(sm.getString("ajpprocessor.unknownAttribute", n));
> response.setStatus(403); setErrorState(ErrorState.CLOSE_CLEAN,
> null);
Possible DOS by spamming the log file?
I suppose you can DOS by filling the access log, too :/
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl7Wci4ACgkQHPApP6U8
pFhpnhAAjfeGXFsvte7M84+FCwtlA/AKeXDkdf3cq87D2G1lKPfMHAuiDYNJCnwP
G7CZRxP8S3yAxEd/tzplqFzRYwHK/ZHVfGMOscFSvREb/XxbUvCwdau3Zl/S0LHZ
kvw54K2M5BWpvz9fy7vcqlDlK5ccGkVY5y4J+F8vxyWojLU2KJUPQ0L7Zn750VDI
vUyapcc8xBgMvKMSyBWeWgpuHRzutgssxy/K3OX7xKn4o2OnGgc5C/5tgBRhEUv5
g1dQxD38GC8CoYmw5fPP5kWmRkQ9JWG4sgicrIRw1ZWidmbAhPPcEeibyclPhrw+
c5NegVCblAkGHbnEkxyCIKWoUmkq+w5uStIA7pzTLHK5JbTjALneOgjq3xPRRHa+
sD7R6rhMHWGQ3uZKLicasx8qDug/mscIMiVczSSyj5TAffT71+WetIxDztXnU6uD
2Z1ObTirdGVXAmqd7JcB9Rf2nMQcP4VQrR9yvM40x/zKXsfZytmtNgH3fR587EaI
rK1ye7ftSiR+Tiu/BGhfCbi2mIdVBoXwQ/2T/BR46xKMtsdksna8lZKhzf612PIF
WXVcQdWqDtlOhclIJOXYKyEn1/dhe3G5Mj41eR5h14SU3OrHTz3fCDEVwodrZUH4
8jK7/j6tN3WWHdJw6cFFxoSUzlG7JmYFOr7UniYjrG91cFVwf4g=
=BTn3
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org