tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jean-frederic clere <jfcl...@gmail.com>
Subject Re: Mitigating AJP CPing/Forward-Request packet forgery before next releases
Date Fri, 09 Sep 2011 11:02:04 GMT
On 09/08/2011 11:58 PM, Konstantin Kolinko wrote:
> 2011/9/9 Christopher Schultz<chris@christopherschultz.net>:
>> On 9/8/2011 11:47 AM, Mark Thomas wrote:
>>> On 08/09/2011 16:13, Christopher Schultz wrote:
>>>> All, https://issues.apache.org/bugzilla/show_bug.cgi?id=51698
>>>>
>>>> Mark's official report to the users' list indicates that setting a
>>>> "secret" for the AJP connection does the trick. (I tried this
>>>> myself before digging-up his message and can confirm that the
>>>> sample code fails when a "secret" is set).
>>>>
>>>> Should we mention this on the Security page directly for those who
>>>> didn't read the announcement on the users' list?
>>>
>>> No reason why not. Go for it.
>>
>> Okay. Any idea if mod_proxy_ajp supports the shared secret? The
>> documentation is so light on actually using mod_proxy_ajp that it might
>> be supported ("ProxyPass /foo ajp://bar secret=changeit"?) but
>> completely undocumented in the httpd documentation.
>>
>> This is all I could find:
>> (..)
>>
>
> I understand that the sources for that module for the current HTTPD
> branch are in the following place in ASF svn:
> /httpd/httpd/branches/2.2.x/modules/proxy/
>
> The only code that mentions "secret" is in ajp_header.c there (besides
> a constant declared in ajp_header.h) and it is commented out
>
> /* XXXX need to figure out how to do this
>      if (s->secret) {
>
>
> There is no parameter or local variable named "s" in that method, so
> it probably originates from mod_jk.

Yep. We need a directive to set the secret in httpd, I will discuss that 
in httpd dev list.

Cheers

Jean-Frederic

>
> Best regards,
> Konstantin Kolinko
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message