From dev-return-209390-archive-asf-public=cust-asf.ponee.io@tomcat.apache.org Tue Jun 2 16:30:55 2020 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [207.244.88.153]) by mx-eu-01.ponee.io (Postfix) with SMTP id C31E918064C for ; Tue, 2 Jun 2020 18:30:54 +0200 (CEST) Received: (qmail 2630 invoked by uid 500); 2 Jun 2020 16:30:53 -0000 Mailing-List: contact dev-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Developers List" Delivered-To: mailing list dev@tomcat.apache.org Received: (qmail 2620 invoked by uid 99); 2 Jun 2020 16:30:53 -0000 Received: from Unknown (HELO mailrelay1-lw-us.apache.org) (10.10.3.159) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 02 Jun 2020 16:30:53 +0000 Received: from [192.168.23.12] (host86-135-90-21.range86-135.btcentralplus.com [86.135.90.21]) by mailrelay1-lw-us.apache.org (ASF Mail Server at mailrelay1-lw-us.apache.org) with ESMTPSA id 436F61059 for ; Tue, 2 Jun 2020 16:30:53 +0000 (UTC) Subject: Re: [tomcat] branch master updated: Fix BZ 64483 Log a warning when an AJP request is rejected To: dev@tomcat.apache.org References: <159109345587.9816.18381410409781086046@gitbox.apache.org> <63f59eb5-8033-62e7-59d6-85eb620454cc@apache.org> <95d003c3-c4f5-c01d-4b62-fafacb475cb8@christopherschultz.net> From: Mark Thomas Autocrypt: addr=markt@apache.org; prefer-encrypt=mutual; keydata= xsFNBEq0DukBEAD4jovHOPJDxoD+JnO1Go2kiwpgRULasGlrVKuSUdP6wzcaqWmXpqtOJKKw W2MQFQLmg7nQ9RjJwy3QCbKNDJQA/bwbQT1F7WzTCz2S6vxC4zxKck4t6RZBq2dJsYKF0CEh 6ZfY4dmKvhq+3istSoFRdHYoOPGWZpuRDqfZPdGm/m335/6KGH59oysn1NE7a2a+kZzjBSEg v23+l4Z1Rg7+fpz1JcdHSdC2Z+ZRxML25eVatRVz4yvDOZItqDURP24zWOodxgboldV6Y88C 3v/7KRR+1vklzkuA2FqF8Q4r/2f0su7MUVviQcy29y/RlLSDTTYoVlCZ1ni14qFU7Hpw43KJ tgXmcUwq31T1+SlXdYjNJ1aFkUi8BjCHDcSgE/IReKUanjHzm4XSymKDTeqqzidi4k6PDD4j yHb8k8vxi6qT6Udnlcfo5NBkkUT1TauhEy8ktHhbl9k60BvvMBP9l6cURiJg1WS77egI4P/8 2oPbzzFiGFqXyJKULVgxtdQ3JikCpodp3f1fh6PlYZwkW4xCJLJucJ5MiQp07HAkMVW5w+k8 Xvuk4i5quh3N+2kzKHOOiQCDmN0sz0XjOE+7XBvM1lvz3+UarLfgSVmW8aheLd7eaIl5ItBk 8844ZJ60LrQ+JiIqvqJemxyIM6epoZvY5a3ZshZpcLilC5hW8QARAQABzSJNYXJrIEUgRCBU aG9tYXMgPG1hcmt0QGFwYWNoZS5vcmc+wsF3BBMBCgAhBQJKtA7pAhsDBQsJCAcDBRUKCQgL BRYCAwEAAh4BAheAAAoJEBDAHFovYFnn2YgQAKN6FLG/I1Ij3PUlC/XNlhasQxPeE3w2Ovtt weOQPYkblJ9nHtGH5pNqG2/qoGShlpI04jJy9GxWKOo7NV4v7M0mbVlCXVgjdlvMFWdL7lno cggwJAFejQcYlVtxyhu4m50LBvBunEhxCbQcKnnWmkB7Ocm0Ictaqjc9rCc1F/aNhVMUpJ0z G1kyTp9hxvN6TbCQlacMx5ocTWzL0zn6QZhbUfrYwfxYJmSnkVYZOYzXIXIsLN5sJ9Q4P8tj Y4qWgd+bQvOqPWrkzL9LVRnGOrSYIsoM5zWdoj1g1glMzK/ZqJdRqqqBhe6FYTbXipz8oX8i mCebcaxZnfLhGiqqX+yDa3YUwDiqom+sZOc0iXGvKkqltPLpNeF0MVT7aZjalsQ/v2Ysb24R Ql9FfjfWmvT8ZPWz8Kore1AI4UcIIgFVtM+zuLlL9CIsGjg+gHDE2dhZDY0qfizlHL9CoAWU DM3pIfxM2V4BRn1xO+j/mModhjmYLZvnFVz4KGkNO7wRkofAANIWYo3WI5x83BGDH371t3NR rrpSSFP0XpQX6/Leaj2j6U6puABL2qBxhscsO6chc3u4/+019ff+peZVsc9ttcTQXsKIujmM b8p2sk5usmv6PKVX3oW/RAxpbVHU5kZ5px1Hq7mMQdZfLs5ff4YymXBH02z4/RmSzPam0Xb5 zsFNBEq0DukBEADCNEkws5YroBmbu8789Xf006gTl5LzD/Hdt3sAp9iCfPgucO+l7U+xbo1X HTMJQwEVfS+Rx3RbaLYRG+hU7FuJLQB/5NaCDNRuqw5KHyQtJUH+zo84IqqfMzG8aOSdHg1y r2xKH4QTmgQONBu/W0xEZmZro6TjYNwkk2pwXK2yuImZPUOy+mK1qF8Wm3hTtkPE+FFSNFIa eHDoTGmx/0Riu/K7dNJTrC0TlRpn2K6d60zB53YYTc+0DYSDyB0FupXiAx/+XEGn3Q7eNi2B V6w50v5r51QP8zptiFflMfFKNAfV8xS5MteQd98YS5qqd/LPo3gS5HFPQaSL0k3RTClv7fQN HcZFqmv0OWpix6zm2npYxhqsTDGeSa52/uXehVXF5JubYFifMSLpbGVZqdrmG5hr2cycxsjF iY0zJOaRitmN/JWbOGLiwrcN4ukKNyFntFG5jPaFnJdx9rHfyJNeF9cgv9JlZeFxJ6WqIAhl KOuH3K8/py0SPE6ZOFfRo0YUxvh25K/siOcPLm613aOxyY7YfQ8ME2vgn7I0mAtg9am+YFDa bGqj839odwZdzZv2T2mUHnybFTJFBuMWGWKYstYDS6eZEmhupbPvUKkDug/mO+gdo+pSKF9Y S6DM5RtCdTNJq4NZY50ypBb5RSj+INHPocIp2V/DDTbzySsu6wARAQABwsFfBBgBCgAJBQJK tA7pAhsMAAoJEBDAHFovYFnnLe0P/i34oK5cE2LlqUEITEcTO94x1EX0UmtKokRfQ3AYWK8X eFD8cmSty72hMkL+1c0V//4Qc53SUyLIWXk8FKWF7hdL3zyuBqlRb55721CYC35GA/jR90p0 k1vr701gaat2cNTOVC0/6H9cE5yYXT+zMr9TSiKCDwONhhSbmAJZc6X0fgsmCD7I5xUI5Vri hN/Wx0CZBtrXGUyE4hgFaYSGptZmkY5Ln1e+nI185Bda7bpLwcAIGrI9nYtVXgf71ybGKdPP tFfXIoPXuctn99M7NnWBhNuGDms2YWkOC7eeWBTxKkZDWR3vRmRy52B6GxR7USk/KXs7yqGP kfT/c4CZFfOurZUXXuC3PvOme0DQmqwExtJormoG4Fy6suEFPrfhYMigTy7kSbVTCOBMjQLH +U/FFNshvg9+M/ZvaKT+0lpRvBSuG5ngsC0bO0xWsXhb6qfH2h53g4VcwFvCBL5IfqgAeUbC nGGHNcGWpmwdeb7D7ahrNZSHEUUYR7lTbjkYS01/QDOcEwNZOqDRIJUQOOUq35721VeROkdh ZmMZtFlsQeQJsWoqGrQo/kEYicVlMVOgjmOOzOa5fRb/IqlGlBn4a4me3hWthLLtMy+OOEim 6ENjntVTBQiTP/YqrxWDbCkaD7b2e9wY5N3JlRxMIQHfcHaND3PRdQSn7oHYXmJl Message-ID: Date: Tue, 2 Jun 2020 17:30:52 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.8.0 MIME-Version: 1.0 In-Reply-To: <95d003c3-c4f5-c01d-4b62-fafacb475cb8@christopherschultz.net> Content-Type: text/plain; charset=utf-8 Content-Language: en-GB Content-Transfer-Encoding: 7bit On 02/06/2020 16:57, Christopher Schultz wrote: > Mark, > > On 6/2/20 11:44, Mark Thomas wrote: >> On 02/06/2020 16:37, Christopher Schultz wrote: >>> Mark, >>> >>> On 6/2/20 06:24, markt@apache.org wrote: >>>> This is an automated email from the ASF dual-hosted git >>>> repository. >>> >>>> markt pushed a commit to branch master in repository >>>> https://gitbox.apache.org/repos/asf/tomcat.git >>> >>> >>>> The following commit(s) were added to refs/heads/master by >>>> this push: new 186aae3 Fix BZ 64483 Log a warning when an AJP >>>> request is rejected 186aae3 is described below >>> >>>> commit 186aae31791ea120cf1b4ddd2f9fcb974bd1d5f9 Author: Mark >>>> Thomas AuthorDate: Tue Jun 2 11:22:35 2020 >>>> +0100 >>> >>>> Fix BZ 64483 Log a warning when an AJP request is rejected --- >>>> java/org/apache/coyote/ajp/AjpProcessor.java | 14 >>>> ++++---------- >>>> java/org/apache/coyote/ajp/LocalStrings.properties | 1 + >>>> webapps/docs/changelog.xml | 4 ++++ 3 >>>> files changed, 9 insertions(+), 10 deletions(-) >>> >>>> diff --git a/java/org/apache/coyote/ajp/AjpProcessor.java >>>> b/java/org/apache/coyote/ajp/AjpProcessor.java index >>>> d24a818..77d6a94 100644 --- >>>> a/java/org/apache/coyote/ajp/AjpProcessor.java +++ >>>> b/java/org/apache/coyote/ajp/AjpProcessor.java @@ -30,7 +30,6 >>>> @@ import java.util.HashMap; import java.util.HashSet; import >>>> java.util.Map; import java.util.Set; -import >>>> java.util.regex.Matcher; import java.util.regex.Pattern; >>> >>>> import jakarta.servlet.http.HttpServletResponse; @@ -779,17 >>>> +778,12 @@ public class AjpProcessor extends AbstractProcessor >>>> { // All 'known' attributes will be processed by the previous >>>> // blocks. Any remaining attribute is an 'arbitrary' one. >>>> Pattern pattern = >>>> protocol.getAllowedRequestAttributesPatternInternal(); - if >>>> (pattern == null) { + if (pattern != null >>>> && pattern.matcher(n).matches()) { + request.setAttribute(n, >>>> v); + } else { + >>>> log.warn(sm.getString("ajpprocessor.unknownAttribute", n)); >>>> response.setStatus(403); setErrorState(ErrorState.CLOSE_CLEAN, >>>> null); >>> >>> Possible DOS by spamming the log file? >>> >>> I suppose you can DOS by filling the access log, too :/ > >> How? This is AJP. > > Exposed endpoint. *shrug* > > I understand that this was added to make debugging of > secured-endpoints easier (so the owner can whitelist whatever they > seem to have forgotten) but anyone spamming the AJP port can cause a > lot of output. Ah. I thought the secret was checked earlier than it is. > This would be similar to sending malformed HTTP requests, which we > currently log a single time and then subsequent errors are logged "at > debug level" so you can at least disable them for production. I'm still in favour of leaving this as it is for multiple reasons: - If users have exposed an AJP port to the public internet and are getting spammed / attacked they need to know. - A misconfigured "private" Connector is far more likely than a correctly secured "public" one - In terms of load it should be no worse than the access log (which is only noticeable when you load test on local host with a trivial servlet). There is no exception generated here which is the more usual source of load in these scenarios. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org For additional commands, e-mail: dev-help@tomcat.apache.org