tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: [tomcat] branch master updated: Fix BZ 64483 Log a warning when an AJP request is rejected
Date Tue, 02 Jun 2020 15:37:19 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Mark,

On 6/2/20 06:24, markt@apache.org wrote:
> This is an automated email from the ASF dual-hosted git
> repository.
>
> markt pushed a commit to branch master in repository
> https://gitbox.apache.org/repos/asf/tomcat.git
>
>
> The following commit(s) were added to refs/heads/master by this
> push: new 186aae3  Fix BZ 64483 Log a warning when an AJP request
> is rejected 186aae3 is described below
>
> commit 186aae31791ea120cf1b4ddd2f9fcb974bd1d5f9 Author: Mark Thomas
> <markt@apache.org> AuthorDate: Tue Jun 2 11:22:35 2020 +0100
>
> Fix BZ 64483 Log a warning when an AJP request is rejected ---
> java/org/apache/coyote/ajp/AjpProcessor.java       | 14
> ++++---------- java/org/apache/coyote/ajp/LocalStrings.properties |
> 1 + webapps/docs/changelog.xml                         |  4 ++++ 3
> files changed, 9 insertions(+), 10 deletions(-)
>
> diff --git a/java/org/apache/coyote/ajp/AjpProcessor.java
> b/java/org/apache/coyote/ajp/AjpProcessor.java index
> d24a818..77d6a94 100644 ---
> a/java/org/apache/coyote/ajp/AjpProcessor.java +++
> b/java/org/apache/coyote/ajp/AjpProcessor.java @@ -30,7 +30,6 @@
> import java.util.HashMap; import java.util.HashSet; import
> java.util.Map; import java.util.Set; -import
> java.util.regex.Matcher; import java.util.regex.Pattern;
>
> import jakarta.servlet.http.HttpServletResponse; @@ -779,17 +778,12
> @@ public class AjpProcessor extends AbstractProcessor { // All
> 'known' attributes will be processed by the previous // blocks. Any
> remaining attribute is an 'arbitrary' one. Pattern pattern =
> protocol.getAllowedRequestAttributesPatternInternal(); -
> if (pattern == null) { +                    if (pattern != null &&
> pattern.matcher(n).matches()) { +
> request.setAttribute(n, v); +                    } else { +
> log.warn(sm.getString("ajpprocessor.unknownAttribute", n));
> response.setStatus(403); setErrorState(ErrorState.CLOSE_CLEAN,
> null);

Possible DOS by spamming the log file?

I suppose you can DOS by filling the access log, too :/

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl7Wci4ACgkQHPApP6U8
pFhpnhAAjfeGXFsvte7M84+FCwtlA/AKeXDkdf3cq87D2G1lKPfMHAuiDYNJCnwP
G7CZRxP8S3yAxEd/tzplqFzRYwHK/ZHVfGMOscFSvREb/XxbUvCwdau3Zl/S0LHZ
kvw54K2M5BWpvz9fy7vcqlDlK5ccGkVY5y4J+F8vxyWojLU2KJUPQ0L7Zn750VDI
vUyapcc8xBgMvKMSyBWeWgpuHRzutgssxy/K3OX7xKn4o2OnGgc5C/5tgBRhEUv5
g1dQxD38GC8CoYmw5fPP5kWmRkQ9JWG4sgicrIRw1ZWidmbAhPPcEeibyclPhrw+
c5NegVCblAkGHbnEkxyCIKWoUmkq+w5uStIA7pzTLHK5JbTjALneOgjq3xPRRHa+
sD7R6rhMHWGQ3uZKLicasx8qDug/mscIMiVczSSyj5TAffT71+WetIxDztXnU6uD
2Z1ObTirdGVXAmqd7JcB9Rf2nMQcP4VQrR9yvM40x/zKXsfZytmtNgH3fR587EaI
rK1ye7ftSiR+Tiu/BGhfCbi2mIdVBoXwQ/2T/BR46xKMtsdksna8lZKhzf612PIF
WXVcQdWqDtlOhclIJOXYKyEn1/dhe3G5Mj41eR5h14SU3OrHTz3fCDEVwodrZUH4
8jK7/j6tN3WWHdJw6cFFxoSUzlG7JmYFOr7UniYjrG91cFVwf4g=
=BTn3
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message