tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 43019] New: - valid absolute request uris + mod_jk 1.2.23 return 400 Invalid URI
Date Fri, 03 Aug 2007 00:35:54 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=43019>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=43019

           Summary: valid absolute request uris + mod_jk 1.2.23 return 400
                    Invalid URI
           Product: Tomcat 6
           Version: 6.0.13
          Platform: Other
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Catalina
        AssignedTo: tomcat-dev@jakarta.apache.org
        ReportedBy: blattj@yahoo-inc.com


Problem noticed after upgrading to 1.2.23 to pick up the fix for
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1860

mod_jk now by default uses  JkOptions     +ForwardURICompatUnparsed

Problem seen with Tomcat 5.0.28 through 6.0.13 and other versions are likely
affected.

The problem:

Some HTTP clients send requests like:

POST http://host/abs_path HTTP/1.1
Host:host

When Tomcat is fronted by mod_jk 1.2.23, requests like now produce 400 Invalid
URI responses.

After more testing, we found:

(1) client -> (apache + mod_jk) -> tomcat: produces "400 Invalid URI" response
(2) client -> (apache + mod_jk) -> (tomcat + apr): produces "200 OK" response
(3) client -> tomcat: produces "200 OK" response

Stepping through case (1) with a debugger, request was rejected at this point:

package org.apache.catalina.connector;

public class CoyoteAdapter {
    public static boolean normalize(MessageBytes uriMB) {
        ...

        // The URL must start with '/'
        if (b[start] != (byte) '/') {
            return false;
        }

The byte buffer contained the full http://host/abs_path request uri.

Comparing the differences between org.apache.coyote.ajp.AjpAprProcessor (case 2,
works OK) and org.apache.jk.common.HandlerRequest (case 1, broken), we noticed
that AjpAprProcessor converts http://host/abs_path to /abs_path in the
STAGE_PREPARE phase but HandlerRequest does not.

To fix, we just copied the code from AjpAprProcessor to HandlerRequest
essentially unchanged:

package org.apache.jk.common;

public class HandlerRequest {
    ...

    private int decodeRequest( Msg msg, MsgContext ep, MessageBytes tmpMB )
        throws IOException    {
        ...

        decodeHeaders( ep, msg, req, tmpMB );

        decodeAttributes( ep, msg, req, tmpMB );

        rp.setStage(Constants.STAGE_PREPARE);
        
        // start yahoo! modified:
        // note this code was taken from AjpProcessor.prepare() - other code
        // from that method should also be considered for inclusion here
        
        // Check for a full URI (including protocol://host:port/)
        ByteChunk uriBC = req.requestURI().getByteChunk();
        if (uriBC.startsWithIgnoreCase("http", 0)) {

            int pos = uriBC.indexOf("://", 0, 3, 4);
            int uriBCStart = uriBC.getStart();
            int slashPos = -1;
            if (pos != -1) {
                byte[] uriB = uriBC.getBytes();
                slashPos = uriBC.indexOf('/', pos + 3);
                if (slashPos == -1) {
                    slashPos = uriBC.getLength();
                    // Set URI as "/"
                    req.requestURI().setBytes
                        (uriB, uriBCStart + pos + 1, 1);
                } else {
                    req.requestURI().setBytes
                        (uriB, uriBCStart + slashPos,
                         uriBC.getLength() - slashPos);
                }
                MessageBytes hostMB = req.getMimeHeaders().setValue("host");
                hostMB.setBytes(uriB, uriBCStart + pos + 3,
                                slashPos - pos - 3);
            }

        }
        
        // end yahoo! modified
        
        MessageBytes valueMB = req.getMimeHeaders().getValue("host");
        parseHost(valueMB, req);
        // set cookies on request now that we have all headers
        req.getCookies().setHeaders(req.getMimeHeaders());
     
        ...

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message