tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Reg : Parameter Filters
Date Fri, 06 Sep 2019 18:56:28 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Praveen,

On 9/6/19 06:25, praveen kumar wrote:
> Thanks for quick response and information. Christopher I tried the
> first option you mentioned from the following reference and tried
> to redirect to an customized error page instead of letting the 
> geoserver application spit the exception. But may be I missed
> something in implementation that did not work.
> 
> 1. Copied urlrewritefilter-4.0.3.jar to Web-inf/lib
> 
> 2. urlrewrite.xml in  web-inf directory
> 
> <urlrewrite> <rule enabled="true"> <condition type="query-string"
> operator="equal"></condition> <from>WIDTH=[^0-9]+</from> <to
> type="redirect">error.html</to> </rule> </urlrewrite>

You are mapping from an expression when this needs to map from a URL.
The regex should be in the <condition> like this:

    <condition type="query-string"
operator="equal">WIDTH=[^0-9]+</condition>

Note that this doesn't allow the WIDTH parameter to be empty. Is that
okay? It also allows (probably?) invalid input such as "WIDTH=10xyz".
You will need a more complicated regular expression pattern to get the
job done properly.

Try changing your configuration to:

<urlrewrite>
<rule enabled="true">
  <condition type="query-string"
operator="equal">WIDTH=[^0-9]+</condition>
  <from>/path/to/protected/servlet/mapping</from>
  <to type="redirect">error.html</to>
</rule>
</urlrewrite>

> And  3. in web.xml <context-param> <!-- see comments on the
> PARTIAL-BUFFER strategy --> <!-- this sets the size of the buffer.
> default is "50" = 50kb -->
> 
> <param-name>PARTIAL_BUFFER_STRATEGY_SIZE</param-name> 
> <param-value>50</param-value> </context-param>
> 
> <filter> <filter-name>UrlRewriteFilter</filter-name>
> 
> <filter-class>org.tuckey.web.filters.urlrewrite.UrlRewriteFilter</filt
er-class>
>
> 
<init-param>
> <param-name>confPath</param-name> 
> <param-value>/WEB-INF/urlrewrite.xml</param-value> </init-param> 
> </filter> <filter-mapping> 
> <filter-name>UrlRewriteFilter</filter-name> 
> <url-pattern>/*</url-pattern> <dispatcher>REQUEST</dispatcher>

> <dispatcher>FORWARD</dispatcher> </filter-mapping> ... </context>

Consider only mapping the url-rewrite filter to those URL patterns you
actually plan on protecting. This this is all very explicit, and
regular expression evaluation is expensive, you only want to execute
those checks on very specific URL patterns.

> André Warnier I would like to redirect such invalid requests to a
> dummy error page which do nothing. I hope this can be done to just
> drop the invalid requests.

Then I think you want:

  <to>null</to>

Hope that helps,
- -chris

> On Fri, Sep 6, 2019 at 3:44 PM André Warnier (tomcat)
> <aw@ice-sa.com> wrote:
> 
>> On 05.09.2019 20:58, Christopher Schultz wrote:
>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
>>> 
>>> Praveen,
>>> 
>>> On 9/5/19 05:07, praveen kumar wrote:
>>>> Hello, I am working with an application called geoserver
>>>> which works on Apache Tomcat server. Just for an idea for
>>>> those who donot know, geoserver is an application that serves
>>>> web map services. When I am calling this service I will be
>>>> providing a few parameters about the map like layer name,
>>>> height, width and so on.., Now my requirement is to restrict
>>>> the values passed to these parameters Like for example for
>>>> WIDTH it should only consider an integer, if a request having
>>>> a string for WIDTH should not reach my application. I am
>>>> looking for some redirect rules but I could not succeed. It 
>>>> would be great if some one can help or guide me on this.
>>> 
>>> LOL this service doesn't actually sanitize its input? Yikes.
>>> 
>>> The good news is that you can do this in a few ways.
>>> 
>>> You have 3 options that I can see:
>>> 
>>> 1. Use a redirect filter 2. Use a reverse-proxy like Apache
>>> with some filtering configured 3. Write it yourself
>>> 
>>> In order to use a redirect filter, you will have to:
>>> 
>>> a. Choose a redirect filter (e.g. Tomcat's rewrite[1] or
>>> Tuckey's urlrewrite[2]) b. Configure it with a file. The
>>> configuration depends upon which filter you choose c. Bundle
>>> that filter+config with the application
>>> 
>>> In order to use a reverse proxy, you'll need to:
>>> 
>>> a. Choose a reverse proxy (e.g. Apache httpd, nginx, Squid,
>>> etc.) b. Configure it properly (which depends upon your choice
>>> in (a) above)
>>> 
>>> In order to write it yourself, you will have to:
>>> 
>>> a. Write a servlet filter in Java b. Package that filter into
>>> the application c. Install that filter into the filter-chain by
>>> modifying the application's WEB-INF/web.xml file
>>> 
>>> Do you have a preference?
>>> 
>>> - -chris
>> 
>> +1, but I would have to add that first of all, Praveen should
>> have a clear idea of /what he thinks should happen/, if one of
>> the request parameters does not meet expectations. Saying that
>> "the request should not make it to the application" is one thing,
>> but what do you want to happen instead ?
>> 
>> 
>> 
>> ---------------------------------------------------------------------
>>
>> 
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>> 
>> 
> 
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl1yq9wACgkQHPApP6U8
pFjlKQ/8DEd0EDg3wzKMrQyP/zVnTbIyDMX+NryH9WmUDbDCdeHpv+ZwlOYG+VFf
ZKFmf8TmUqu9eaF39Wcc99aHlBMgDzml08xzs8IKWo6qJZxtd7YueEiZxbAoBjsr
TBNWKZ64Iq3XbqUI6Y3DitdQG1ZifpLIq54IyDOIWCoS9sqObQ2eiiMuFjZV51gW
3/frNvlZuPsprZP/FY1chLTgcvVM+mSU1woq9E0g4fFM0ov0fz1Cjz63B3nLHDNH
nmMjirP+skYVqq7uhDB7+t1rgj0vqTTMVjHKZa7H8dZHYehUENluhxSc3bIO/saP
hGENoU1EyTZdPvlUsUQcqZI2DgUY09d4c0NF6mWMDuq9wSbVqcNZRP0zsH9H56Rr
ToV75RMveTSafLp3MgxDBsigWoEqQV2PaHFr5QMWv6/uN71gHrE2fqa/XqmCN+BQ
XwWDA7YBC7v2cOs/F/Jc6jR0XW2YjUhS8zB/Ni106oCcOhIPjE0CWSRgSFO0b84G
j1M64GLBfSNLx95wAd64tib6AW9DeTUi1OHqw4tfLz0JIuUToxlLBc1k1QmDSB4U
XD24Zfz3YogNDB/Q+suxvH8gA8LPq0hXy7ilBnSirinkJjzWVFJKs1v8RT/tgDRG
AUJIJ+/EyFpXksd8hlm+X7qkd+hzvevCcUJdDY285QWsdA5I/Mw=
=GzwQ
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message