You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2021/08/05 07:02:43 UTC
[Bug 65481] New: PUT request considered as GET by "require "
directives
https://bz.apache.org/bugzilla/show_bug.cgi?id=65481
Bug ID: 65481
Summary: PUT request considered as GET by "require " directives
Product: Apache httpd-2
Version: 2.4.29
Hardware: PC
OS: Linux
Status: NEW
Severity: regression
Priority: P2
Component: mod_authz_core
Assignee: bugs@httpd.apache.org
Reporter: ajirge@qualys.com
Target Milestone: ---
Error
2021-08-05T06:49:12+00:00 <hostname> httpd[15433]: [authz_core:error] [pid
15433] [cli
ent 10.44.x.xx:60101] AH01630: client denied by server configuration:
/home/www/xxxx/php/receiver/Upload/Queued/file3.txt
Curl request
curl -kv -u "$UPDLOGIN:$UPDPASS" -T /root/install.log
"$NOCURL/receiver/Upload/Queued/file3.txt" 2>&1)
Httpd/access_log
10.44.1.17 - <username> [05/Aug/2021:06:53:23 +0000] "PUT
/receiver/Upload/Queued/file3.txt HTTP/1.1" 200 - "-" "curl/7.71.1" 17102 0
httpd.conf
<Directory "/home/www/XXX/php/receiver/Upload">
require method PUT
AllowOverride All
Options -Indexes +FollowSymLinks -Includes
AuthName "NocHost"
AuthType Basic
AuthUserFile /home/www/XXX/conf/htpasswd_host
Script PUT /receiver/put.php
<Limit PUT>
require valid-user
</Limit>
</Directory>
Conclusion ::
if require clause is modified as follows, It overcomes the errors but I expect
to limit the requests to the PUT method only.
require method PUT GET
Here the PUT requests are considered as GET methods and hence generates errors
if GET requests are blocked.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 65481] PUT request considered as GET by "require " directives
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=65481
--- Comment #4 from ajirge@qualys.com ---
(In reply to Christophe JAILLET from comment #3)
> Hi,
>
> I guess that your error_log file should be more verbose than what your have
> provided.
>
> Are your sure that your login/password are correct?
> What if you remove the <Limit PUT> block in the conf? Does GET still
> succeeds?
I tried enable all possible to enable verbose logs. But debug mode generated
very little information that I shared on the bug.
The credential provided is also correct.
If I remove the <Limit PUT> block, GET fails. In fact, GET always fails if only
PUT is allowed. (<LIMIT PUT> or require method PUT).
In this bug, Everything is working as expected. I am able to upload files using
the PUT method successfully with VALID credentials.
The only thing wrong here is an error message which is getting generated in the
error logs(However it does not have any adverse effect on the workflow of PUT).
For compliance reasons, we need to address every Error. And to suppress these
error messages we can not allow the GET method for security reasons.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 65481] PUT request considered as GET by "require " directives
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=65481
Eric Covener <co...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |NEEDINFO
--- Comment #1 from Eric Covener <co...@gmail.com> ---
Please post full matching access/error logs @ LogLevel trace8
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 65481] PUT request considered as GET by "require " directives
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=65481
--- Comment #3 from Christophe JAILLET <ch...@wanadoo.fr> ---
Hi,
I guess that your error_log file should be more verbose than what your have
provided.
Are your sure that your login/password are correct?
What if you remove the <Limit PUT> block in the conf? Does GET still succeeds?
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 65481] PUT request considered as GET by "require " directives
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=65481
ajirge@qualys.com changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEEDINFO |NEW
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 65481] PUT request considered as GET by "require " directives
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=65481
Eric Covener <co...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |NEEDINFO
--- Comment #5 from Eric Covener <co...@gmail.com> ---
Does this act any better?
<Directory "/home/www/XXX/php/receiver/Upload">
<RequireAll>
require method PUT
require valid-user
</RequireAll>
AllowOverride All
Options -Indexes +FollowSymLinks -Includes
AuthName "NocHost"
AuthType Basic
AuthUserFile /home/www/XXX/conf/htpasswd_host
Script PUT /receiver/put.php
</Directory>
Does your config similarly protect direct access to /receiver/put.php?
Does the error message get triggered when /receiver/put.php is accessed
directly?
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 65481] PUT request considered as GET by "require " directives
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=65481
--- Comment #2 from ajirge@qualys.com ---
Apache Configuration
LogLevel trace8
ErrorLog syslog:local0
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %P %T"
combined
CustomLog "|/usr/sbin/httplog /var/log/httpd/access_log.%Y%m%d" combined
<VirtualHost _default_:50011>
ServerName example.com
DocumentRoot /home/www/xxx/php
ErrorLog syslog:local1
CustomLog "| /usr/sbin/httplog /var/log/httpd/xxx_access_log.%Y%m%d"
combined
<Directory "/home/www/xxx/php/receiver/Upload">
require method PUT
AllowOverride All
Options -Indexes +FollowSymLinks -Includes
AuthName "NocHost"
AuthType Basic
AuthUserFile /home/www/xxx/conf/htpasswd_host
Script PUT /receiver/put.php
<Limit PUT>
require valid-user
</Limit>
</Directory>
</VirtualHost>
Curl Request
[root@localhost ~]# (. /usr/local/example/admin/etc/admin.conf; curl -kv -u
"$UPDLOGIN:$UPDPASS" -T /root/install.log
"$NOCURL/receiver/Upload/Queued/file3.txt" 2>&1)
* Trying 10.44.3.55:443...
* Connected to xxx.p32.eng.sjc01.example.com (10.44.3.55) port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / AES256-SHA
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: C=US; ST=California; L=Foster City; O=example, Inc.;
OU=Engineering; CN=*.p32.eng.sjc01.example.com
* start date: Feb 15 04:55:00 2021 GMT
* expire date: Feb 15 04:55:00 2022 GMT
* issuer: C=US; ST=California; L=Redwood City; O=example, Inc.; OU=Operations;
CN=example Ops T2v1; emailAddress=ops@example.com
* SSL certificate verify result: self signed certificate in certificate chain
(19), continuing anyway.
* Server auth using Basic with user '099991506691'
> PUT /receiver/Upload/Queued/file3.txt HTTP/1.1
> Host: xxx.p32.eng.sjc01.example.com
> Authorization: Basic MxxxxxtoLis=
> User-Agent: curl/7.71.1
> Accept: */*
> Content-Length: 10034
> Expect: 100-continue
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 100 Continue
* We are completely uploaded and fine
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 Created
< Date: Thu, 05 Aug 2021 18:10:58 GMT
< Server: Apache
< X-XSS-Protection: 1; mode=block
< X-Content-Type-Options: nosniff
< X-Frame-Options: SAMEORIGIN
< Strict-Transport-Security: max-age=31536000; includeSubDomains
< Content-Length: 0
< Content-Type: text/html; charset=UTF-8
<
* Connection #0 to host xxx.p32.eng.sjc01.example.com left intact
/var/log/messages
2021-08-05T18:10:25+00:00 mon02.p32.eng.sjc01.example.com systemd[1]: Started
LSB: start and stop Apache HTTP Server.
2021-08-05T18:10:25+00:00 mon02.p32.eng.sjc01.example.com httpd[28345]:
[mpm_prefork:notice] [pid 28345] AH00163: Apache/2.4.29 (Unix)
OpenSSL/1.0.2k-fips configured -- resuming normal operations
2021-08-05T18:10:25+00:00 mon02.p32.eng.sjc01.example.com httpd[28345]:
[mpm_prefork:info] [pid 28345] AH00164: Server built: Dec 28 2020 12:40:18
2021-08-05T18:10:25+00:00 mon02.p32.eng.sjc01.example.com httpd[28345]:
[core:notice] [pid 28345] AH00094: Command line: '/usr/sbin/httpd'
2021-08-05T18:10:58+00:00 mon02.p32.eng.sjc01.example.com httpd[28357]:
[authz_core:error] [pid 28357] [client 10.44.1.17:23881] AH01630: client denied
by server configuration: /home/www/xxx/php/receiver/Upload/Queued/file3.txt
/var/log/httpd/xxx_access_log
10.44.1.17 - 099991506691 [05/Aug/2021:18:10:58 +0000] "PUT
/receiver/Upload/Queued/file3.txt HTTP/1.1" 200 - "-" "curl/7.71.1" 28357 0
But if we replace "require method PUT" with "require method PUT GET", the error
AH1630 vanishes.
(In reply to Eric Covener from comment #1)
> Please post full matching access/error logs @ LogLevel trace8
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org