tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: [tomcat] branch master updated: Fix BZ 64483 Log a warning when an AJP request is rejected
Date Tue, 02 Jun 2020 15:57:44 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Mark,

On 6/2/20 11:44, Mark Thomas wrote:
> On 02/06/2020 16:37, Christopher Schultz wrote:
>> Mark,
>>
>> On 6/2/20 06:24, markt@apache.org wrote:
>>> This is an automated email from the ASF dual-hosted git
>>> repository.
>>
>>> markt pushed a commit to branch master in repository
>>> https://gitbox.apache.org/repos/asf/tomcat.git
>>
>>
>>> The following commit(s) were added to refs/heads/master by
>>> this push: new 186aae3  Fix BZ 64483 Log a warning when an AJP
>>> request is rejected 186aae3 is described below
>>
>>> commit 186aae31791ea120cf1b4ddd2f9fcb974bd1d5f9 Author: Mark
>>> Thomas <markt@apache.org> AuthorDate: Tue Jun 2 11:22:35 2020
>>> +0100
>>
>>> Fix BZ 64483 Log a warning when an AJP request is rejected ---
>>> java/org/apache/coyote/ajp/AjpProcessor.java       | 14
>>> ++++----------
>>> java/org/apache/coyote/ajp/LocalStrings.properties | 1 +
>>> webapps/docs/changelog.xml                         |  4 ++++ 3
>>> files changed, 9 insertions(+), 10 deletions(-)
>>
>>> diff --git a/java/org/apache/coyote/ajp/AjpProcessor.java
>>> b/java/org/apache/coyote/ajp/AjpProcessor.java index
>>> d24a818..77d6a94 100644 ---
>>> a/java/org/apache/coyote/ajp/AjpProcessor.java +++
>>> b/java/org/apache/coyote/ajp/AjpProcessor.java @@ -30,7 +30,6
>>> @@ import java.util.HashMap; import java.util.HashSet; import
>>> java.util.Map; import java.util.Set; -import
>>> java.util.regex.Matcher; import java.util.regex.Pattern;
>>
>>> import jakarta.servlet.http.HttpServletResponse; @@ -779,17
>>> +778,12 @@ public class AjpProcessor extends AbstractProcessor
>>> { // All 'known' attributes will be processed by the previous
>>> // blocks. Any remaining attribute is an 'arbitrary' one.
>>> Pattern pattern =
>>> protocol.getAllowedRequestAttributesPatternInternal(); - if
>>> (pattern == null) { +                    if (pattern != null
>>> && pattern.matcher(n).matches()) { + request.setAttribute(n,
>>> v); +                    } else { +
>>> log.warn(sm.getString("ajpprocessor.unknownAttribute", n));
>>> response.setStatus(403); setErrorState(ErrorState.CLOSE_CLEAN,
>>> null);
>>
>> Possible DOS by spamming the log file?
>>
>> I suppose you can DOS by filling the access log, too :/
>
> How? This is AJP.

Exposed endpoint. *shrug*

I understand that this was added to make debugging of
secured-endpoints easier (so the owner can whitelist whatever they
seem to have forgotten) but anyone spamming the AJP port can cause a
lot of output.

This would be similar to sending malformed HTTP requests, which we
currently log a single time and then subsequent errors are logged "at
debug level" so you can at least disable them for production.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl7WdvgACgkQHPApP6U8
pFhbtxAAlbaqmiPAMduW/gJrHIbL/FWvO7CgxSeUCbVMTo5mJmEZfJseiu/8jIMJ
8oejSRodPGeQhy8bdhelI3btQ69j5FYoXhN1Xn5A1vfEHP2EgsZj1hMp8FklYSo6
XJBqG+mpbASOvQS8iDhwX3S6mNrhOLZYhDO6otQ1mTz3MIbquK8fvMNxvltmmti6
gXyag9WwBY/Ln1M3vn7VcYAbY5NrhnR8QQn8BJq2FVWxxXeuhJV8CJeV860/0kkl
MufKzLKt7xEyWp4Bd+iH0qOpWdib57vjXSzPc6DQw7LU0npOO68kcRc1H8RIqqjY
GuL8m1LX4OuBJZ0S7JkOH3EpPwQrM9QkUHkKyR3XYFKOHiAJx1YHWSAJczFG8CWH
Iu+E9Rc1bcLSe+9UbvTkNEj/nie2JiDNa+DV+xL56tnkHlAMn1uULwAUE9aff827
amiLosBInW0QvzqwPV0CA/WbIkdNxAOjI2mqYETxuBeFKHdGVdCtY/bDfhrLenT3
GYA88fNiWaRGkJHWRFaBrTpFlV5h/zgBygEPwazL/dXVXk46IR7viOfRugGipbE+
YiyJMVFR/TbkNN2CIm9zymHBhOwSe3cgUTasSNn5jucU2kWrp2qiVE+6jtlMpWtt
zIyt8y8IxxOyNXgo7kaVMboixYrgH5aZYlgGcde6IMCNn1Q898M=
=iDD7
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message