tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Konstantin Kolinko <>
Subject Re: Mitigating AJP CPing/Forward-Request packet forgery before next releases
Date Thu, 08 Sep 2011 21:58:38 GMT
2011/9/9 Christopher Schultz <>:
> On 9/8/2011 11:47 AM, Mark Thomas wrote:
>> On 08/09/2011 16:13, Christopher Schultz wrote:
>>> All,
>>> Mark's official report to the users' list indicates that setting a
>>> "secret" for the AJP connection does the trick. (I tried this
>>> myself before digging-up his message and can confirm that the
>>> sample code fails when a "secret" is set).
>>> Should we mention this on the Security page directly for those who
>>> didn't read the announcement on the users' list?
>> No reason why not. Go for it.
> Okay. Any idea if mod_proxy_ajp supports the shared secret? The
> documentation is so light on actually using mod_proxy_ajp that it might
> be supported ("ProxyPass /foo ajp://bar secret=changeit"?) but
> completely undocumented in the httpd documentation.
> This is all I could find:

I understand that the sources for that module for the current HTTPD
branch are in the following place in ASF svn:

The only code that mentions "secret" is in ajp_header.c there (besides
a constant declared in ajp_header.h) and it is commented out

/* XXXX need to figure out how to do this
    if (s->secret) {

There is no parameter or local variable named "s" in that method, so
it probably originates from mod_jk.

Best regards,
Konstantin Kolinko

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message