-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Mark,
On 6/2/20 06:24, ma...@apache.org wrote: > This is an automated email from the ASF dual-hosted git > repository. > > markt pushed a commit to branch master in repository > https://gitbox.apache.org/repos/asf/tomcat.git > > > The following commit(s) were added to refs/heads/master by this > push: new 186aae3 Fix BZ 64483 Log a warning when an AJP request > is rejected 186aae3 is described below > > commit 186aae31791ea120cf1b4ddd2f9fcb974bd1d5f9 Author: Mark Thomas > <ma...@apache.org> AuthorDate: Tue Jun 2 11:22:35 2020 +0100 > > Fix BZ 64483 Log a warning when an AJP request is rejected --- > java/org/apache/coyote/ajp/AjpProcessor.java | 14 > ++++---------- java/org/apache/coyote/ajp/LocalStrings.properties | > 1 + webapps/docs/changelog.xml | 4 ++++ 3 > files changed, 9 insertions(+), 10 deletions(-) > > diff --git a/java/org/apache/coyote/ajp/AjpProcessor.java > b/java/org/apache/coyote/ajp/AjpProcessor.java index > d24a818..77d6a94 100644 --- > a/java/org/apache/coyote/ajp/AjpProcessor.java +++ > b/java/org/apache/coyote/ajp/AjpProcessor.java @@ -30,7 +30,6 @@ > import java.util.HashMap; import java.util.HashSet; import > java.util.Map; import java.util.Set; -import > java.util.regex.Matcher; import java.util.regex.Pattern; > > import jakarta.servlet.http.HttpServletResponse; @@ -779,17 +778,12 > @@ public class AjpProcessor extends AbstractProcessor { // All > 'known' attributes will be processed by the previous // blocks. Any > remaining attribute is an 'arbitrary' one. Pattern pattern = > protocol.getAllowedRequestAttributesPatternInternal(); - > if (pattern == null) { + if (pattern != null && > pattern.matcher(n).matches()) { + > request.setAttribute(n, v); + } else { + > log.warn(sm.getString("ajpprocessor.unknownAttribute", n)); > response.setStatus(403); setErrorState(ErrorState.CLOSE_CLEAN, > null); Possible DOS by spamming the log file? I suppose you can DOS by filling the access log, too :/ - -chris -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl7Wci4ACgkQHPApP6U8 pFhpnhAAjfeGXFsvte7M84+FCwtlA/AKeXDkdf3cq87D2G1lKPfMHAuiDYNJCnwP G7CZRxP8S3yAxEd/tzplqFzRYwHK/ZHVfGMOscFSvREb/XxbUvCwdau3Zl/S0LHZ kvw54K2M5BWpvz9fy7vcqlDlK5ccGkVY5y4J+F8vxyWojLU2KJUPQ0L7Zn750VDI vUyapcc8xBgMvKMSyBWeWgpuHRzutgssxy/K3OX7xKn4o2OnGgc5C/5tgBRhEUv5 g1dQxD38GC8CoYmw5fPP5kWmRkQ9JWG4sgicrIRw1ZWidmbAhPPcEeibyclPhrw+ c5NegVCblAkGHbnEkxyCIKWoUmkq+w5uStIA7pzTLHK5JbTjALneOgjq3xPRRHa+ sD7R6rhMHWGQ3uZKLicasx8qDug/mscIMiVczSSyj5TAffT71+WetIxDztXnU6uD 2Z1ObTirdGVXAmqd7JcB9Rf2nMQcP4VQrR9yvM40x/zKXsfZytmtNgH3fR587EaI rK1ye7ftSiR+Tiu/BGhfCbi2mIdVBoXwQ/2T/BR46xKMtsdksna8lZKhzf612PIF WXVcQdWqDtlOhclIJOXYKyEn1/dhe3G5Mj41eR5h14SU3OrHTz3fCDEVwodrZUH4 8jK7/j6tN3WWHdJw6cFFxoSUzlG7JmYFOr7UniYjrG91cFVwf4g= =BTn3 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org