On Mon, Jun 22, 2020 at 12:13 PM jean-frederic clere <jfcl...@gmail.com> wrote: > > >> > >> But there is still something I want to prevent: > >> ProxyPass /docs ajp://localhost:8009/docs > >> and url like: > >> curl -v --path-as-is > >> "http://localhost:8000/docs/..;food=bar/test/index.jsp"; > >> How do we do that? Do we want a 400 for that? (my proposal do that :-)). > > > > Why would we 400? > > Either there is a mapping for /test[/] and we'll be OK, or there is > > none we'll be DECLINED. > > For the moment I am getting a 200 and the test/index.jsp from tomcat...
Hmm, do you mean that mod_proxy (alias_match_servlet) forwards http://localhost:8000/test/index.php in this case, even if there is no mapping for "/test" ?? In my testing it's not mapped, so it ends up being handled by the default_handler() which returns 404. > > > > > The 400 will come only if no module handles the URI, and if the > > default_handler() finds no "docs/..;food=bar/test/index.jsp" in the > > path (where "..;foo=bar" is not considered a directory traversal in > > this case). > > ProxyPass /docs ajp://localhost:8009/docs > being mapped as /test/index.jsp (by tomcat) when you > query"http://localhost:8000/docs/..;food=bar/test/index.jsp"; looks wrong > and should avoidable. > > > > > On my system, this runs smoothly: > > $ mkdir -p 'docs/..;foo=bar/test' > > $ touch 'docs/..;foo=bar/test/index.php' > > $ ls 'docs/..;foo=bar/test/index.php' > > 'docs/..;foo=bar/test/index.php' > > > > Correct the hardening is to prevent "tomcat customers mistake" that gets > unexpected contexts exposed. I am not able to get it working with you > proposal. I don't think we should refuse anything in mod_proxy, either forward or let it be handled elsewhere. > > > > > Regards; > > Yann.
