tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From rj...@apache.org
Subject svn commit: r549885 - in /tomcat/connectors/trunk/jk: native/apache-1.3/ native/apache-2.0/ native/common/ native/iis/ native/netscape/ xdocs/miscellaneous/ xdocs/reference/ xdocs/webserver_howto/
Date Fri, 22 Jun 2007 17:17:41 GMT
Author: rjung
Date: Fri Jun 22 10:17:40 2007
New Revision: 549885

URL: http://svn.apache.org/viewvc?view=rev&rev=549885
Log:
New option RejectUnsafeURI (Apache),
resp. reject_unsafe (IIS, Netscape)

This will block all URLs, which contain percent signs '%'
or backslashes '\' after URL decoding.
Most web apps do not use such URLs. Using the option, one
can block several well known URL encoding attacks.
By default, this option is not set.
For Apache httpd one could also realize such a check with
mod_rewrite, which is more powerful. Our method works for all
supported web servers.

Modified:
    tomcat/connectors/trunk/jk/native/apache-1.3/mod_jk.c
    tomcat/connectors/trunk/jk/native/apache-2.0/mod_jk.c
    tomcat/connectors/trunk/jk/native/common/jk_global.h
    tomcat/connectors/trunk/jk/native/common/jk_uri_worker_map.c
    tomcat/connectors/trunk/jk/native/common/jk_uri_worker_map.h
    tomcat/connectors/trunk/jk/native/iis/jk_isapi_plugin.c
    tomcat/connectors/trunk/jk/native/netscape/jk_nsapi_plugin.c
    tomcat/connectors/trunk/jk/xdocs/miscellaneous/changelog.xml
    tomcat/connectors/trunk/jk/xdocs/reference/apache.xml
    tomcat/connectors/trunk/jk/xdocs/reference/iis.xml
    tomcat/connectors/trunk/jk/xdocs/webserver_howto/apache.xml

Modified: tomcat/connectors/trunk/jk/native/apache-1.3/mod_jk.c
URL: http://svn.apache.org/viewvc/tomcat/connectors/trunk/jk/native/apache-1.3/mod_jk.c?view=diff&rev=549885&r1=549884&r2=549885
==============================================================================
--- tomcat/connectors/trunk/jk/native/apache-1.3/mod_jk.c (original)
+++ tomcat/connectors/trunk/jk/native/apache-1.3/mod_jk.c Fri Jun 22 10:17:40 2007
@@ -1759,6 +1759,9 @@
         else if (!strcasecmp(w, "ForwardKeySize")) {
             opt = JK_OPT_FWDKEYSIZE;
         }
+        else if (!strcasecmp(w, "RejectUnsafeURI")) {
+            opt = JK_OPT_REJECTUNSAFE;
+        }
         else
             return ap_pstrcat(cmd->pool, "JkOptions: Illegal option '", w,
                               "'", NULL);
@@ -1857,7 +1860,6 @@
 
     /*
      * JkAutoMount specifies that the list of handled URLs must be
-     * JkAutoMount specifies that the list of handled URLs must be
      * asked to the servlet engine (autoconf feature)
      */
     {"JkAutoMount", jk_automount_context, NULL, RSRC_CONF, TAKE12,
@@ -2531,10 +2533,15 @@
                                                                            &jk_module);
         open_jk_log(srv, p);
         if (sconf) {
+            sconf->options &= ~sconf->exclude_options;
             if (!uri_worker_map_alloc(&(sconf->uw_map),
                                       sconf->uri_to_context, sconf->log))
                 jk_error_exit(APLOG_MARK, APLOG_EMERG, srv,
                               p, "Memory error");
+            if (sconf->options & JK_OPT_REJECTUNSAFE)
+                sconf->uw_map->reject_unsafe = 1;
+            else
+                sconf->uw_map->reject_unsafe = 0;
             if (sconf->mount_file) {
                 sconf->uw_map->fname = sconf->mount_file;
                 sconf->uw_map->reload = sconf->mount_file_reload;
@@ -2547,7 +2554,6 @@
                     ap_log_error(APLOG_MARK, APLOG_ERR, srv,
                                  "JkRequestLogFormat format array NULL");
             }
-            sconf->options &= ~sconf->exclude_options;
             if (sconf->envvars_in_use) {
                 int i;
                 const array_header *arr;

Modified: tomcat/connectors/trunk/jk/native/apache-2.0/mod_jk.c
URL: http://svn.apache.org/viewvc/tomcat/connectors/trunk/jk/native/apache-2.0/mod_jk.c?view=diff&rev=549885&r1=549884&r2=549885
==============================================================================
--- tomcat/connectors/trunk/jk/native/apache-2.0/mod_jk.c (original)
+++ tomcat/connectors/trunk/jk/native/apache-2.0/mod_jk.c Fri Jun 22 10:17:40 2007
@@ -1790,6 +1790,9 @@
         else if (!strcasecmp(w, "ForwardKeySize")) {
             opt = JK_OPT_FWDKEYSIZE;
         }
+        else if (!strcasecmp(w, "RejectUnsafeURI")) {
+            opt = JK_OPT_REJECTUNSAFE;
+        }
         else
             return apr_pstrcat(cmd->pool, "JkOptions: Illegal option '", w,
                                "'", NULL);
@@ -2825,10 +2828,15 @@
                 if (open_jklog(srv, pconf))
                     return HTTP_INTERNAL_SERVER_ERROR;
                 if (sconf) {
+                    sconf->options &= ~sconf->exclude_options;
                     if (!uri_worker_map_alloc(&(sconf->uw_map),
                                               sconf->uri_to_context, sconf->log))
                         jk_error_exit(APLOG_MARK, APLOG_EMERG, srv,
                                       srv->process->pool, "Memory error");
+                    if (sconf->options & JK_OPT_REJECTUNSAFE)
+                        sconf->uw_map->reject_unsafe = 1;
+                    else
+                        sconf->uw_map->reject_unsafe = 0;
                     if (sconf->mount_file) {
                         sconf->uw_map->fname = sconf->mount_file;
                         sconf->uw_map->reload = sconf->mount_file_reload;
@@ -2841,7 +2849,6 @@
                             ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
                                          "JkRequestLogFormat format array NULL");
                     }
-                    sconf->options &= ~sconf->exclude_options;
                     if (sconf->envvars_in_use) {
                         int i;
                         const apr_array_header_t *arr;

Modified: tomcat/connectors/trunk/jk/native/common/jk_global.h
URL: http://svn.apache.org/viewvc/tomcat/connectors/trunk/jk/native/common/jk_global.h?view=diff&rev=549885&r1=549884&r2=549885
==============================================================================
--- tomcat/connectors/trunk/jk/native/common/jk_global.h (original)
+++ tomcat/connectors/trunk/jk/native/common/jk_global.h Fri Jun 22 10:17:40 2007
@@ -245,6 +245,7 @@
 #define JK_OPT_DISABLEREUSE         0x0080
 #define JK_OPT_FWDCERTCHAIN         0x0100
 #define JK_OPT_FWDKEYSIZE           0x0200
+#define JK_OPT_REJECTUNSAFE         0x0400
 
 /* Check for EBCDIC systems */
 

Modified: tomcat/connectors/trunk/jk/native/common/jk_uri_worker_map.c
URL: http://svn.apache.org/viewvc/tomcat/connectors/trunk/jk/native/common/jk_uri_worker_map.c?view=diff&rev=549885&r1=549884&r2=549885
==============================================================================
--- tomcat/connectors/trunk/jk/native/common/jk_uri_worker_map.c (original)
+++ tomcat/connectors/trunk/jk/native/common/jk_uri_worker_map.c Fri Jun 22 10:17:40 2007
@@ -535,6 +535,7 @@
                               const char *uri, jk_logger_t *l)
 {
     unsigned int i;
+    int reject_unsafe;
     const char *rv = NULL;
     char  url[JK_MAX_URI_LEN+1];
 
@@ -564,6 +565,7 @@
     /* Make the copy of the provided uri and strip
      * everything after the first ';' char.
      */
+    reject_unsafe = uw_map->reject_unsafe;
     for (i = 0; i < strlen(uri); i++) {
         if (i == JK_MAX_URI_LEN) {
             jk_log(l, JK_LOG_WARNING,
@@ -574,15 +576,21 @@
         }
         if (uri[i] == ';')
             break;
-        else
+        else {
             url[i] = uri[i];
+            if (reject_unsafe && (url[i] == '%' || url[i] == '\\')) {
+                jk_log(l, JK_LOG_INFO, "Potentially unsafe request url '%s' rejected", uri);
+                JK_TRACE_EXIT(l);
+                return NULL;
+            }
+        }
     }
     url[i] = '\0';
 
     if (JK_IS_DEBUG_LEVEL(l)) {
         char *url_rewrite = strstr(uri, JK_PATH_SESSION_IDENTIFIER);
         if (url_rewrite)
-            jk_log(l, JK_LOG_DEBUG, "separating session identifier '%s' from url '%s'",
+            jk_log(l, JK_LOG_DEBUG, "Found session identifier '%s' in url '%s'",
                    url_rewrite, uri);
     }
     if (JK_IS_DEBUG_LEVEL(l))

Modified: tomcat/connectors/trunk/jk/native/common/jk_uri_worker_map.h
URL: http://svn.apache.org/viewvc/tomcat/connectors/trunk/jk/native/common/jk_uri_worker_map.h?view=diff&rev=549885&r1=549884&r2=549885
==============================================================================
--- tomcat/connectors/trunk/jk/native/common/jk_uri_worker_map.h (original)
+++ tomcat/connectors/trunk/jk/native/common/jk_uri_worker_map.h Fri Jun 22 10:17:40 2007
@@ -111,6 +111,8 @@
     /* Dynamic config support */
 
     JK_CRIT_SEC cs;
+    /* should we forward potentially unsafe URLs */
+    int reject_unsafe;    
     /* uriworkermap filename */
     const char *fname;    
     /* uriworkermap reload check interval */

Modified: tomcat/connectors/trunk/jk/native/iis/jk_isapi_plugin.c
URL: http://svn.apache.org/viewvc/tomcat/connectors/trunk/jk/native/iis/jk_isapi_plugin.c?view=diff&rev=549885&r1=549884&r2=549885
==============================================================================
--- tomcat/connectors/trunk/jk/native/iis/jk_isapi_plugin.c (original)
+++ tomcat/connectors/trunk/jk/native/iis/jk_isapi_plugin.c Fri Jun 22 10:17:40 2007
@@ -101,6 +101,7 @@
 #define WORKER_MOUNT_RELOAD_TAG     ("worker_mount_reload")
 #define STRIP_SESSION_TAG           ("strip_session")
 #define AUTH_COMPLETE_TAG           ("auth_complete")
+#define REJECT_UNSAFE_TAG           ("reject_unsafe")
 
 
 #define TRANSLATE_HEADER            ("Translate:")
@@ -194,6 +195,7 @@
 static int strip_session = 0;
 static DWORD auth_notification_flags = 0;
 static int   use_auth_notification_flags = 1;
+static int reject_unsafe = 0;
 
 #define URI_SELECT_OPT_PARSED       0
 #define URI_SELECT_OPT_UNPARSED     1
@@ -1730,6 +1732,10 @@
 
     if (uri_worker_map_alloc(&uw_map, NULL, logger)) {
         rc = JK_FALSE;
+        if (reject_unsafe)
+            uw_map->reject_unsafe = 1;
+        else
+            uw_map->reject_unsafe = 0;
         uw_map->fname = worker_mount_file;
         uw_map->reload = worker_mount_reload;
         if (worker_mount_file[0])
@@ -1849,6 +1855,7 @@
     worker_mount_reload = get_config_int(src, WORKER_MOUNT_RELOAD_TAG, JK_URIMAP_DEF_RELOAD);
     strip_session = get_config_bool(src, STRIP_SESSION_TAG, JK_FALSE);
     use_auth_notification_flags = get_config_int(src, AUTH_COMPLETE_TAG, 1);
+    reject_unsafe = get_config_bool(src, REJECT_UNSAFE_TAG, JK_FALSE);
     if (using_ini_file) {
         jk_map_free(&map);
     }

Modified: tomcat/connectors/trunk/jk/native/netscape/jk_nsapi_plugin.c
URL: http://svn.apache.org/viewvc/tomcat/connectors/trunk/jk/native/netscape/jk_nsapi_plugin.c?view=diff&rev=549885&r1=549884&r2=549885
==============================================================================
--- tomcat/connectors/trunk/jk/native/netscape/jk_nsapi_plugin.c (original)
+++ tomcat/connectors/trunk/jk/native/netscape/jk_nsapi_plugin.c Fri Jun 22 10:17:40 2007
@@ -33,6 +33,7 @@
 
 #define URI_PATTERN "path"
 #define DEFAULT_WORKER_NAME ("ajp13")
+#define REJECT_UNSAFE_TAG   ("reject_unsafe")
 
 #define STRNULL_FOR_NULL(x) ((x) ? (x) : "(null)")
 
@@ -95,6 +96,7 @@
     if (uri_worker_map_alloc(&uw_map, NULL, logger)) {
         uw_map->fname = "";
         uw_map->reload = JK_URIMAP_DEF_RELOAD;
+        uw_map->reject_unsafe = jk_map_get_bool(init_map, "worker." REJECT_UNSAFE_TAG,
JK_FALSE);
         worker_env.uri_to_worker = uw_map;
         if (wc_open(init_map, &worker_env, logger)) {
             init_on_other_thread_is_ok = JK_TRUE;
@@ -227,6 +229,7 @@
     char *log_level_str = pblock_findval(JK_LOG_LEVEL_TAG, pb);
     char *log_file = pblock_findval(JK_LOG_FILE_TAG, pb);
     char *shm_file = pblock_findval(JK_SHM_FILE_TAG, pb);
+    char *reject_unsafe = pblock_findval(JK_REJECT_UNSAFE_TAG, pb);
 
     int rc = REQ_ABORTED;
 
@@ -269,6 +272,7 @@
                 jk_log(logger, JK_LOG_ERROR, "Error in resolving configuration references");
             }
 
+            jk_map_add(init_map, "worker." REJECT_UNSAFE_TAG, reject_unsafe); 
             s = systhread_start(SYSTHREAD_DEFAULT_PRIORITY,
                                 0, init_workers_on_other_threads, init_map);
             for (sleep_cnt = 0; sleep_cnt < 60; sleep_cnt++) {

Modified: tomcat/connectors/trunk/jk/xdocs/miscellaneous/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/connectors/trunk/jk/xdocs/miscellaneous/changelog.xml?view=diff&rev=549885&r1=549884&r2=549885
==============================================================================
--- tomcat/connectors/trunk/jk/xdocs/miscellaneous/changelog.xml (original)
+++ tomcat/connectors/trunk/jk/xdocs/miscellaneous/changelog.xml Fri Jun 22 10:17:40 2007
@@ -28,6 +28,10 @@
   <subsection name="Native">
     <changelog>
       <update>
+      Common/Apache/IIS/Netscape: Add an option to check decoded URLs for
+      potentially malicious constructions. (rjung)
+      </update>
+      <update>
       IIS: Document auth_complete and uri_select. (rjung)
       </update>
       <update>

Modified: tomcat/connectors/trunk/jk/xdocs/reference/apache.xml
URL: http://svn.apache.org/viewvc/tomcat/connectors/trunk/jk/xdocs/reference/apache.xml?view=diff&rev=549885&r1=549884&r2=549885
==============================================================================
--- tomcat/connectors/trunk/jk/xdocs/reference/apache.xml (original)
+++ tomcat/connectors/trunk/jk/xdocs/reference/apache.xml Fri Jun 22 10:17:40 2007
@@ -514,6 +514,30 @@
 </p>
 
 <p>
+JkOptions <b>RejectUnsafeURI</b> will block all
+URLs, which contain percent signs '%' or backslashes '\'
+after decoding.
+<br/>
+<br/>
+</p>
+<p>
+Most web apps do not use such URLs. Using the option RejectUnsafeURI, you
+can block several well known URL encoding attacks. By default, this option
+is not set.
+</p>
+<p>
+You can also realize such a check with mod_rewrite, which is more powerful
+but also slightly more complicated.
+
+<source>  
+  JkOptions     +RejectUnsafeURI
+</source>
+
+<br/>
+<br/>
+</p>
+
+<p>
 JkOptions <b>ForwardDirectories</b> is used in conjunction with <b>DirectoryIndex</b>
 directive of Apache web server. As such mod_dir should be available to Apache,
 statically or dynamically (DSO)
@@ -535,7 +559,7 @@
 </p>
 
 <p>
-If ForwarDirectories is set to true and Apache doesn't find any files that
+If ForwardDirectories is set to true and Apache doesn't find any files that
 match, the request will be forwarded to Tomcat for resolution. This is used in
 cases when Apache cannot see the index files on the file system for various
 reasons: Tomcat is running on a different machine, the JSP file has been

Modified: tomcat/connectors/trunk/jk/xdocs/reference/iis.xml
URL: http://svn.apache.org/viewvc/tomcat/connectors/trunk/jk/xdocs/reference/iis.xml?view=diff&rev=549885&r1=549884&r2=549885
==============================================================================
--- tomcat/connectors/trunk/jk/xdocs/reference/iis.xml (original)
+++ tomcat/connectors/trunk/jk/xdocs/reference/iis.xml Fri Jun 22 10:17:40 2007
@@ -93,6 +93,8 @@
 A string value representing a boolean. If it is set to true,
 URL session suffixes of the form ";jsessionid=..." get stripped of URLs,
 even if the are served locally by the web server.
+</p>
+<p>
 A true value can be represented by the string "1" or any string starting
 with the letters "T" or "t". A false value will be assumed for "0"
 or any string starting with "F" or "f". The default value is false.
@@ -142,7 +144,22 @@
 </p>
 <p>The default value since version 1.2.24 is "proxy". Before it was "parsed".</p>
 </attribute>
+<attribute name="reject_unsafe" required="false"><p>
+A string value representing a boolean. If it is set to true,
+URLs containing percent signs '%' or backslashes '\'
+after decoding will be rejected.
+</p>
+<p>
+Most web apps do not use such URLs. By enabling "reject_unsafe" you
+can block several well known URL encoding attacks.
+</p>
 <p>
+A true value can be represented by the string "1" or any string starting
+with the letters "T" or "t". A false value will be assumed for "0"
+or any string starting with "F" or "f". The default value is false.
+</p>
+<p>This directive has been added in version 1.2.24</p>
+</attribute>
 </attributes>
 </section> 
 <section name="Using a properties file for configuration">

Modified: tomcat/connectors/trunk/jk/xdocs/webserver_howto/apache.xml
URL: http://svn.apache.org/viewvc/tomcat/connectors/trunk/jk/xdocs/webserver_howto/apache.xml?view=diff&rev=549885&r1=549884&r2=549885
==============================================================================
--- tomcat/connectors/trunk/jk/xdocs/webserver_howto/apache.xml (original)
+++ tomcat/connectors/trunk/jk/xdocs/webserver_howto/apache.xml Fri Jun 22 10:17:40 2007
@@ -545,6 +545,30 @@
 </p>
 
 <p>
+JkOptions <b>RejectUnsafeURI</b> will block all
+URLs, which contain percent signs '%' or backslashes '\'
+after decoding.
+<br/>
+<br/>
+</p>
+<p>
+Most web apps do not use such URLs. Using the option RejectUnsafeURI, you
+can block several well known URL encoding attacks. By default, this option
+is not set.
+</p>
+<p>
+You can also realize such a check with mod_rewrite, which is more powerful
+but also slightly more complicated.
+
+<source>
+  JkOptions     +RejectUnsafeURI
+</source>
+
+<br/>
+<br/>
+</p>
+
+<p>
 JkOptions <b>ForwardDirectories</b> is used in conjunction with <b>DirectoryIndex</b>
 directive of Apache web server. As such mod_dir should be available to Apache,
 statically or dynamically (DSO)



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message