tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject Re: [tomcat] branch master updated: Fix BZ 64483 Log a warning when an AJP request is rejected
Date Tue, 02 Jun 2020 16:30:52 GMT
On 02/06/2020 16:57, Christopher Schultz wrote:
> Mark,
> 
> On 6/2/20 11:44, Mark Thomas wrote:
>> On 02/06/2020 16:37, Christopher Schultz wrote:
>>> Mark,
>>>
>>> On 6/2/20 06:24, markt@apache.org wrote:
>>>> This is an automated email from the ASF dual-hosted git
>>>> repository.
>>>
>>>> markt pushed a commit to branch master in repository
>>>> https://gitbox.apache.org/repos/asf/tomcat.git
>>>
>>>
>>>> The following commit(s) were added to refs/heads/master by
>>>> this push: new 186aae3  Fix BZ 64483 Log a warning when an AJP
>>>> request is rejected 186aae3 is described below
>>>
>>>> commit 186aae31791ea120cf1b4ddd2f9fcb974bd1d5f9 Author: Mark
>>>> Thomas <markt@apache.org> AuthorDate: Tue Jun 2 11:22:35 2020
>>>> +0100
>>>
>>>> Fix BZ 64483 Log a warning when an AJP request is rejected ---
>>>> java/org/apache/coyote/ajp/AjpProcessor.java       | 14
>>>> ++++----------
>>>> java/org/apache/coyote/ajp/LocalStrings.properties | 1 +
>>>> webapps/docs/changelog.xml                         |  4 ++++ 3
>>>> files changed, 9 insertions(+), 10 deletions(-)
>>>
>>>> diff --git a/java/org/apache/coyote/ajp/AjpProcessor.java
>>>> b/java/org/apache/coyote/ajp/AjpProcessor.java index
>>>> d24a818..77d6a94 100644 ---
>>>> a/java/org/apache/coyote/ajp/AjpProcessor.java +++
>>>> b/java/org/apache/coyote/ajp/AjpProcessor.java @@ -30,7 +30,6
>>>> @@ import java.util.HashMap; import java.util.HashSet; import
>>>> java.util.Map; import java.util.Set; -import
>>>> java.util.regex.Matcher; import java.util.regex.Pattern;
>>>
>>>> import jakarta.servlet.http.HttpServletResponse; @@ -779,17
>>>> +778,12 @@ public class AjpProcessor extends AbstractProcessor
>>>> { // All 'known' attributes will be processed by the previous
>>>> // blocks. Any remaining attribute is an 'arbitrary' one.
>>>> Pattern pattern =
>>>> protocol.getAllowedRequestAttributesPatternInternal(); - if
>>>> (pattern == null) { +                    if (pattern != null
>>>> && pattern.matcher(n).matches()) { + request.setAttribute(n,
>>>> v); +                    } else { +
>>>> log.warn(sm.getString("ajpprocessor.unknownAttribute", n));
>>>> response.setStatus(403); setErrorState(ErrorState.CLOSE_CLEAN,
>>>> null);
>>>
>>> Possible DOS by spamming the log file?
>>>
>>> I suppose you can DOS by filling the access log, too :/
> 
>> How? This is AJP.
> 
> Exposed endpoint. *shrug*
> 
> I understand that this was added to make debugging of
> secured-endpoints easier (so the owner can whitelist whatever they
> seem to have forgotten) but anyone spamming the AJP port can cause a
> lot of output.

Ah. I thought the secret was checked earlier than it is.

> This would be similar to sending malformed HTTP requests, which we
> currently log a single time and then subsequent errors are logged "at
> debug level" so you can at least disable them for production.

I'm still in favour of leaving this as it is for multiple reasons:

- If users have exposed an AJP port to the public internet and are
  getting spammed / attacked they need to know.

- A misconfigured "private" Connector is far more likely than a
  correctly secured "public" one

- In terms of load it should be no worse than the access log (which
  is only noticeable when you load test on local host with a trivial
  servlet). There is no exception generated here which is the more
  usual source of load in these scenarios.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message