Re: hardening mod_write and mod_proxy like mod_jk with servletnormalize

jean-frederic clere Thu, 18 Jun 2020 09:38:16 -0700

On 17/06/2020 13:26, Yann Ylavic wrote:

On Sat, Jun 13, 2020 at 11:18 AM jean-frederic clere <jfcl...@gmail.com> wrote:


On 11/06/2020 13:50, Yann Ylavic wrote:

On Thu, Jun 11, 2020 at 1:22 PM Yann Ylavic <ylavic....@gmail.com> wrote:


On Thu, Jun 11, 2020 at 9:57 AM Yann Ylavic <ylavic....@gmail.com> wrote:


On Thu, Jun 11, 2020 at 9:50 AM Yann Ylavic <ylavic....@gmail.com> wrote:


We need a way to forward non %-decoded URLs upto mod_proxy (reverse)
if we want to normalize a second time..


IOW, this block in ap_process_request_internal():

[snip]

Should go _after_ the following:

[snip]

Or we could introduce a new pre_translate_name hook which would
execute before %-decoding, and be used by mod_proxy when
"ProxyPreTranslation on" is configured, and be a prerequisite for
mapping=servlet.

I find ProxyPreTranslation also useful for the non-servlet case btw.

Something like this attached v2 patch.


Here is a v3 with the relevant pre_translate_name hooks only and
ap_getparents() preserved when the URI does not start with '/' (which
makes the patch read better too).


with this patch, how to I get:
curl -v --path-as-is "http://localhost:8000/docs/..;food=bar/test/index.jsp

Mapped to
ProxyPass  /test ajp://localhost:8009/test secret=%A1b2!@
Or rejected in case I have only:
ProxyPass  /docs ajp://localhost:8009/docs secret=%A1b2!@


Right sorry, it does not work with patch v3, I mainly focused on the
"decode at the right place" part of the issue, which is not your
point..

I just staged a more complete proposal in
https://github.com/apache/httpd/pull/128

For the proxy servlet part, I think that we need a dedicated
alias_match() for servlet mapping (called alias_match_servlet() in the
PR), we can't normalize and match separately or the matched length is
completely off wrt the original URI-path.

Can you please try with the patches there? (the last is not really
necessary, it's just to complete the PR should this be merged).

You need to set:
     ProxyMappingDecoded off
in your vhost (or directory) for servlet mapping to be active, with a
ProxyPass like:
     ProxyPass /good/ http://127.0.0.1:80/good/ mapping=servlet

I tried with paths like
"/bad/..;foo=bar/.;foo=bar//other;foo=bar//..;foo=bar/good;foo1=bar1/;foo2=bar2/.;foo3=bar3///./index.html"
which results in "/good/;foo2=bar2/.;foo3=bar3///./index.html" being
forwarded, still things that shouldn't be seem to be declined.

The code in alias_match_servlet() is not really simple, but neither is
servlet mapping..


OK we are going forward:
ProxyMappingDecoded Off
ProxyPass  /test ajp://localhost:8009/test secret=%A1b2!@

and curl -v --path-as-is"http://localhost:8000/docs/..;food=bar/test/index.jsp 404 httpd.


ProxyMappingDecoded Off
ProxyPass  /test ajp://localhost:8009/test secret=%A1b2!@  mapping=servlet

and curl -v --path-as-is"http://localhost:8000/docs/..;food=bar/test/index.jsp 200 tc URL:http://localhost:8000/test/index.jspbut curl -v --path-as-is"http://localhost:8000/docs/..;food=bar/test;food=bar/index.jsp"; 404 httpdwhat is going wrong with"http://localhost:8000/docs/..;food=bar/test;food=bar/index.jsp";same for "curl -v --path-as-is"http://localhost:8000/test;food=bar/index.jsp";


ProxyMappingDecoded On

ProxyPass /test ajp://localhost:8009/test secret=%A1b2!@mapping=servlet 404 httpd.


ProxyMappingDecoded On
ProxyPass  /test ajp://localhost:8009/test secret=%A1b2!@ 404 httpd.

Comments?



Regards;
Yann.



--
Cheers

Jean-Frederic

Re: hardening mod_write and mod_proxy like mod_jk with servletnormalize

Reply via email to