Re: hardening mod_write and mod_proxy like mod_jk with servletnormalize

Wed, 10 Jun 2020 23:52:16 -0700 

On 10/06/2020 11:53, Ruediger Pluem wrote:



On 6/9/20 12:05 PM, jean-frederic clere wrote:

Hi,

Basically it adds servletnormalizecheck to mod_proxy for 
ProxyPass/ProxyPassMatch and mod_rewrite when using P
I have tested the following uses:
#ProxyPass  /docs ajp://localhost:8009/docs secret=%A1b2!@ servletnormalizecheck

#ProxyPassMatch  "^/docs(.*)$" "ajp://localhost:8009/docs$1" secret=%A1b2!@ 
servletnormalizecheck

#RewriteEngine On
#RewriteRule "^/docs(.*)$" "ajp://localhost:8009/docs$1" [P,SNC]
#<Proxy "ajp://localhost:8009/docs">
#ProxySet connectiontimeout=5 timeout=30 secret=%A1b2!@
#</Proxy>

#<Location "/docs">
#  ProxyPass  ajp://localhost:8009/docs secret=%A1b2!@ servletnormalizecheck
#</Location>

What is not supported is
curl -v --path-as-is 
"http://localhost:8000/docs/..;foo=bar/;foo=bar/test/index.jsp";

that could be remapped to
ProxyPass  /test ajp://localhost:8009/test secret=%A1b2!@ servletnormalizecheck
or a <location test/>

Comments?


I understood from Mark that the request you do above with curl should not be 
denied but just mapped to /test.
But rethinking that, it becomes real fun: For mapping we should use the URI 
stripped off path parameters and then having done the
shrinking operation (servlet normalized) but we should use the original URI 
having done the shrinking operation with path
parameters to sent to the backend. That might work for a simple prefix 
matching, but it seems to be very difficult for regular
expression scenarios where you might use complex captures from the matching to 
build the result. But if the matching was done
against the servlet normalized URI the captures might be different, than the 
ones you would have got when doing the same against
not normalized URI. So I am little bit lost here.
What if we just have an option on virtual host base to drop path parameters of 
the following kind

s#/([.]{0,2})(;[^/]*)/#/$1/g

do the usual shrinking operation afterwards and just process them afterwards as 
usual.



I think it makes sense to have it there but separated from the 
servletnormalizecheck because that changes the whole <VirtualHost/> mapping

So I will add something like MergeSlashes which will map
http://localhost:8000/docs/..;foo=bar/;foo=bar/test/index.jsp
to /test

And arrange the proxy so that /docs/..;foo=bar/;foo=bar/test/index.jsp 
is sent to the back-end.



Should I commit my first proposal (it is easily backportable to 2.4.x) 
and later work on the next one?




Regards

Rüdiger





--
Cheers

Jean-Frederic






















					Reply via email to