You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2020/06/02 10:29:07 UTC
[tomcat] branch 8.5.x updated: Fix BZ 64483 Log a warning when an
AJP request is rejected
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/8.5.x by this push:
new 06edd30 Fix BZ 64483 Log a warning when an AJP request is rejected
06edd30 is described below
commit 06edd300c183fc0e49df81a86666fae58d8fbed9
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Tue Jun 2 11:22:35 2020 +0100
Fix BZ 64483 Log a warning when an AJP request is rejected
---
java/org/apache/coyote/ajp/AjpProcessor.java | 15 +++++----------
java/org/apache/coyote/ajp/LocalStrings.properties | 1 +
webapps/docs/changelog.xml | 4 ++++
3 files changed, 10 insertions(+), 10 deletions(-)
diff --git a/java/org/apache/coyote/ajp/AjpProcessor.java b/java/org/apache/coyote/ajp/AjpProcessor.java
index fa71116..e65486d 100644
--- a/java/org/apache/coyote/ajp/AjpProcessor.java
+++ b/java/org/apache/coyote/ajp/AjpProcessor.java
@@ -28,7 +28,6 @@ import java.security.cert.X509Certificate;
import java.util.Collections;
import java.util.HashSet;
import java.util.Set;
-import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.servlet.http.HttpServletResponse;
@@ -863,17 +862,13 @@ public class AjpProcessor extends AbstractProcessor {
} else {
// All 'known' attributes will be processed by the previous
// blocks. Any remaining attribute is an 'arbitrary' one.
- if (allowedRequestAttributesPattern == null) {
+ if (allowedRequestAttributesPattern != null &&
+ allowedRequestAttributesPattern.matcher(n).matches()) {
+ request.setAttribute(n, v);
+ } else {
+ log.warn(sm.getString("ajpprocessor.unknownAttribute", n));
response.setStatus(403);
setErrorState(ErrorState.CLOSE_CLEAN, null);
- } else {
- Matcher m = allowedRequestAttributesPattern.matcher(n);
- if (m.matches()) {
- request.setAttribute(n, v);
- } else {
- response.setStatus(403);
- setErrorState(ErrorState.CLOSE_CLEAN, null);
- }
}
}
break;
diff --git a/java/org/apache/coyote/ajp/LocalStrings.properties b/java/org/apache/coyote/ajp/LocalStrings.properties
index 38067ca..bc9bae6 100644
--- a/java/org/apache/coyote/ajp/LocalStrings.properties
+++ b/java/org/apache/coyote/ajp/LocalStrings.properties
@@ -29,6 +29,7 @@ ajpprocessor.header.tooLong=Header message of length [{0}] received but the pack
ajpprocessor.readtimeout=Timeout attempting to read data from the socket
ajpprocessor.request.prepare=Error preparing request
ajpprocessor.request.process=Error processing request
+ajpprocessor.unknownAttribute=Rejecting request due to unknown request attribute [{0}] received from reverse proxy
ajpprotocol.noBio=The AJP BIO connector has been removed in Tomcat 8.5.x onwards. The AJP BIO connector configuration has been automatically switched to use the AJP NIO connector instead.
ajpprotocol.noSSL=SSL is not supported with AJP. The SSL host configuration for [{0}] was ignored
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index cb81ea7..8d31f4a 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -79,6 +79,10 @@
<bug>64467</bug>: Improve performance of closing idle HTTP/2 streams.
(markt)
</fix>
+ <add>
+ <bug>64483</bug>: Log a warning if an AJP request is rejected because it
+ contains an unexpected request attribute. (markt)
+ </add>
</changelog>
</subsection>
<subsection name="WebSocket">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org