svn commit: r1756939 - in /tomcat/trunk: conf/web.xml java/org/apache/catalina/servlets/CGIServlet.java webapps/docs/cgi-howto.xml webapps/docs/changelog.xml

Fri, 19 Aug 2016 09:39:06 -0700 

Author: markt
Date: Fri Aug 19 16:38:47 2016
New Revision: 1756939

URL: http://svn.apache.org/viewvc?rev=1756939&view=rev
Log:
Add a new initialisation parameter, envHttpHeaders, to the CGI Servlet to 
mitigate httpoxy (CVE-2016-5388) by default and to provide a mechanism that can 
be used to mitigate any future, similar issues.

Modified:
    tomcat/trunk/conf/web.xml
    tomcat/trunk/java/org/apache/catalina/servlets/CGIServlet.java
    tomcat/trunk/webapps/docs/cgi-howto.xml
    tomcat/trunk/webapps/docs/changelog.xml

Modified: tomcat/trunk/conf/web.xml
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/conf/web.xml?rev=1756939&r1=1756938&r2=1756939&view=diff
==============================================================================
--- tomcat/trunk/conf/web.xml (original)
+++ tomcat/trunk/conf/web.xml Fri Aug 19 16:38:47 2016
@@ -334,6 +334,15 @@
   <!--   executable           Name of the executable used to run the        -->
   <!--                        script. [perl]                                -->
   <!--                                                                      -->
+  <!--   envHttpHeaders       A regular expression used to select the HTTP  -->
+  <!--                        headers passed to the CGI process as          -->
+  <!--                        environment variables. Note that headers are  -->
+  <!--                        converted to upper case before matching and   -->
+  <!--                        that the entire header name must match the    -->
+  <!--                        pattern.                                      -->
+  <!--                        [ACCEPT[-0-9A-Z]*|CACHE-CONTROL|COOKIE|HOST|  -->
+  <!--                         IF-[-0-9A-Z]*|REFERER|USER-AGENT]            -->
+  <!--                                                                      -->
   <!--   parameterEncoding    Name of parameter encoding to be used with    -->
   <!--                        CGI servlet.                                  -->
   <!--                        [System.getProperty("file.encoding","UTF-8")] -->
@@ -353,7 +362,7 @@
           <param-name>cgiPathPrefix</param-name>
           <param-value>WEB-INF/cgi</param-value>
         </init-param>
-         <load-on-startup>5</load-on-startup>
+        <load-on-startup>5</load-on-startup>
     </servlet>
 -->
 

Modified: tomcat/trunk/java/org/apache/catalina/servlets/CGIServlet.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/servlets/CGIServlet.java?rev=1756939&r1=1756938&r2=1756939&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/servlets/CGIServlet.java (original)
+++ tomcat/trunk/java/org/apache/catalina/servlets/CGIServlet.java Fri Aug 19 
16:38:47 2016
@@ -35,6 +35,7 @@ import java.util.Locale;
 import java.util.Map.Entry;
 import java.util.StringTokenizer;
 import java.util.Vector;
+import java.util.regex.Pattern;
 
 import javax.servlet.RequestDispatcher;
 import javax.servlet.ServletConfig;
@@ -265,6 +266,16 @@ public final class CGIServlet extends Ht
      */
     private long stderrTimeout = 2000;
 
+    /**
+     * The regular expression used to select HTTP headers to be passed to the
+     * CGI process as environment variables. The name of the environment
+     * variable will be the name of the HTTP header converter to upper case,
+     * prefixed with <code>HTTP_</code> and with all <code>-</code> characters
+     * converted to <code>_</code>.
+     */
+    private Pattern envHttpHeadersPattern = Pattern.compile(
+            
"ACCEPT[-0-9A-Z]*|CACHE-CONTROL|COOKIE|HOST|IF-[-0-9A-Z]*|REFERER|USER-AGENT");
+
     /** object used to ensure multiple threads don't try to expand same file */
     private static final Object expandFileLock = new Object();
 
@@ -326,6 +337,10 @@ public final class CGIServlet extends Ht
                     "stderrTimeout"));
         }
 
+        if (getServletConfig().getInitParameter("envHttpHeaders") != null) {
+            envHttpHeadersPattern =
+                    
Pattern.compile(getServletConfig().getInitParameter("envHttpHeaders"));
+        }
     }
 
 
@@ -963,12 +978,8 @@ public final class CGIServlet extends Ht
                 //REMIND: rewrite multiple headers as if received as single
                 //REMIND: change character set
                 //REMIND: I forgot what the previous REMIND means
-                if ("AUTHORIZATION".equalsIgnoreCase(header) ||
-                    "PROXY_AUTHORIZATION".equalsIgnoreCase(header)) {
-                    //NOOP per CGI specification section 11.2
-                } else {
-                    envp.put("HTTP_" + header.replace('-', '_'),
-                             req.getHeader(header));
+                if (envHttpHeadersPattern.matcher(header).matches()) {
+                    envp.put("HTTP_" + header.replace('-', '_'), 
req.getHeader(header));
                 }
             }
 

Modified: tomcat/trunk/webapps/docs/cgi-howto.xml
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/cgi-howto.xml?rev=1756939&r1=1756938&r2=1756939&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/cgi-howto.xml (original)
+++ tomcat/trunk/webapps/docs/cgi-howto.xml Fri Aug 19 16:38:47 2016
@@ -103,6 +103,12 @@ if your script is itself executable (e.g
 <li><strong>executable-arg-1</strong>, <strong>executable-arg-2</strong>,
 and so on - additional arguments for the executable. These precede the
 CGI script name. By default there are no additional arguments.</li>
+<li><strong>envHttpHeaders</strong> - A regular expression used to select the
+HTTP headers passed to the CGI process as environment variables. Note that
+headers are converted to upper case before matching and that the entire header
+name must match the pattern. Default is
+<code>ACCEPT[-0-9A-Z]*|CACHE-CONTROL|COOKIE|HOST|IF-[-0-9A-Z]*|REFERER|USER-AGENT</code>
+</li>
 <li><strong>parameterEncoding</strong> - Name of the parameter encoding
 to be used with the CGI servlet. Default is
 <code>System.getProperty("file.encoding","UTF-8")</code>. That is the system

Modified: tomcat/trunk/webapps/docs/changelog.xml
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1756939&r1=1756938&r2=1756939&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Fri Aug 19 16:38:47 2016
@@ -146,6 +146,13 @@
         <code>StandardRoot</code> instance now invalidate the cache if caching
         is enabled. (markt)
       </fix>
+      <add>
+        Add a new initialisation parameter, <code>envHttpHeaders</code>, to
+        the CGI Servlet to mitigate <a href="https://httpoxy.org";>httpoxy</a>
+        (<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5388";
+        >CVE-2016-5388</a>) by default and to provide a mechanism that can be
+        used to mitigate any future, similar issues. (markt)
+      </add>
     </changelog>
   </subsection>
   <subsection name="Coyote">



---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to