Re: hardening mod_write and mod_proxy like mod_jk with servletnormalize

Mon, 22 Jun 2020 03:13:24 -0700 

On 22/06/2020 11:50, Yann Ylavic wrote:

On Mon, Jun 22, 2020 at 11:20 AM jean-frederic clere <jfcl...@gmail.com> wrote:


On 19/06/2020 12:02, Yann Ylavic wrote:

On Thu, Jun 18, 2020 at 6:37 PM jean-frederic clere <jfcl...@gmail.com> wrote:


ProxyMappingDecoded Off
ProxyPass  /test ajp://localhost:8009/test secret=%A1b2!@  mapping=servlet

[]

what is going wrong with
"http://localhost:8000/docs/..;food=bar/test;food=bar/index.jsp";
same for "curl -v --path-as-is
"http://localhost:8000/test;food=bar/index.jsp";


Good catch, should be fixed with
https://github.com/apache/httpd/compare/491a115344e37df21996f323eefd16136d278360..d9f12223ba45e520dd018baf7be084809d531d81
Latest version of the PR should be OK.

Now it results in: ajp://localhost:8009/test;food=bar/index.jsp
We keep the path parameters since the alias (/test) does not end with '/'.


Cool fixed.


Thanks for testing.







ProxyMappingDecoded On
ProxyPass  /test ajp://localhost:8009/test secret=%A1b2!@
mapping=servlet 404 httpd.

ProxyMappingDecoded On
ProxyPass  /test ajp://localhost:8009/test secret=%A1b2!@ 404 httpd.


Hmm, I can't reproduce these ones, they do not take the
alias_match_servlet() path and should not be affected by my changes.
Can you still reproduce with the latest version? I made somes pushes
yesterday, perhaps a transient invalid state...


In fact I was screwing it, sorryt:

But there is still something I want to prevent:
ProxyPass  /docs ajp://localhost:8009/docs
and url like:
curl -v --path-as-is "http://localhost:8000/docs/..;food=bar/test/index.jsp";
How do we do that? Do we want a 400 for that? (my proposal do that :-)).


Why would we 400?
Either there is a mapping for /test[/] and we'll be OK, or there is
none we'll be DECLINED.


For the moment I am getting a 200 and the test/index.jsp from tomcat...



The 400 will come only if no module handles the URI, and if the
default_handler() finds no "docs/..;food=bar/test/index.jsp" in the
path (where "..;foo=bar" is not considered a directory traversal in
this case).


ProxyPass  /docs ajp://localhost:8009/docs

being mapped as /test/index.jsp (by tomcat) when you 
query"http://localhost:8000/docs/..;food=bar/test/index.jsp"; looks wrong 
and should avoidable.




On my system, this runs smoothly:
$ mkdir -p 'docs/..;foo=bar/test'
$ touch 'docs/..;foo=bar/test/index.php'
$ ls 'docs/..;foo=bar/test/index.php'
'docs/..;foo=bar/test/index.php'




Correct the hardening is to prevent "tomcat customers mistake" that gets 
unexpected contexts exposed. I am not able to get it working with you 
proposal.




Regards;
Yann.




--
Cheers

Jean-Frederic

























					Reply via email to