tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Konstantin Kolinko <knst.koli...@gmail.com>
Subject Re: Mitigating AJP CPing/Forward-Request packet forgery before next releases
Date Thu, 08 Sep 2011 21:58:38 GMT
2011/9/9 Christopher Schultz <chris@christopherschultz.net>:
> On 9/8/2011 11:47 AM, Mark Thomas wrote:
>> On 08/09/2011 16:13, Christopher Schultz wrote:
>>> All, https://issues.apache.org/bugzilla/show_bug.cgi?id=51698
>>>
>>> Mark's official report to the users' list indicates that setting a
>>> "secret" for the AJP connection does the trick. (I tried this
>>> myself before digging-up his message and can confirm that the
>>> sample code fails when a "secret" is set).
>>>
>>> Should we mention this on the Security page directly for those who
>>> didn't read the announcement on the users' list?
>>
>> No reason why not. Go for it.
>
> Okay. Any idea if mod_proxy_ajp supports the shared secret? The
> documentation is so light on actually using mod_proxy_ajp that it might
> be supported ("ProxyPass /foo ajp://bar secret=changeit"?) but
> completely undocumented in the httpd documentation.
>
> This is all I could find:
>(..)
>

I understand that the sources for that module for the current HTTPD
branch are in the following place in ASF svn:
/httpd/httpd/branches/2.2.x/modules/proxy/

The only code that mentions "secret" is in ajp_header.c there (besides
a constant declared in ajp_header.h) and it is commented out

/* XXXX need to figure out how to do this
    if (s->secret) {


There is no parameter or local variable named "s" in that method, so
it probably originates from mod_jk.

Best regards,
Konstantin Kolinko

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message