Re: [tomcat] branch master updated: Fix BZ 64483 Log a warning when an AJP request is rejected

Tue, 02 Jun 2020 08:45:12 -0700 

On 02/06/2020 16:37, Christopher Schultz wrote:
> Mark,
> 
> On 6/2/20 06:24, ma...@apache.org wrote:
>> This is an automated email from the ASF dual-hosted git
>> repository.
> 
>> markt pushed a commit to branch master in repository
>> https://gitbox.apache.org/repos/asf/tomcat.git
> 
> 
>> The following commit(s) were added to refs/heads/master by this
>> push: new 186aae3  Fix BZ 64483 Log a warning when an AJP request
>> is rejected 186aae3 is described below
> 
>> commit 186aae31791ea120cf1b4ddd2f9fcb974bd1d5f9 Author: Mark Thomas
>> <ma...@apache.org> AuthorDate: Tue Jun 2 11:22:35 2020 +0100
> 
>> Fix BZ 64483 Log a warning when an AJP request is rejected ---
>> java/org/apache/coyote/ajp/AjpProcessor.java       | 14
>> ++++---------- java/org/apache/coyote/ajp/LocalStrings.properties |
>> 1 + webapps/docs/changelog.xml                         |  4 ++++ 3
>> files changed, 9 insertions(+), 10 deletions(-)
> 
>> diff --git a/java/org/apache/coyote/ajp/AjpProcessor.java
>> b/java/org/apache/coyote/ajp/AjpProcessor.java index
>> d24a818..77d6a94 100644 ---
>> a/java/org/apache/coyote/ajp/AjpProcessor.java +++
>> b/java/org/apache/coyote/ajp/AjpProcessor.java @@ -30,7 +30,6 @@
>> import java.util.HashMap; import java.util.HashSet; import
>> java.util.Map; import java.util.Set; -import
>> java.util.regex.Matcher; import java.util.regex.Pattern;
> 
>> import jakarta.servlet.http.HttpServletResponse; @@ -779,17 +778,12
>> @@ public class AjpProcessor extends AbstractProcessor { // All
>> 'known' attributes will be processed by the previous // blocks. Any
>> remaining attribute is an 'arbitrary' one. Pattern pattern =
>> protocol.getAllowedRequestAttributesPatternInternal(); -
>> if (pattern == null) { +                    if (pattern != null &&
>> pattern.matcher(n).matches()) { +
>> request.setAttribute(n, v); +                    } else { +
>> log.warn(sm.getString("ajpprocessor.unknownAttribute", n));
>> response.setStatus(403); setErrorState(ErrorState.CLOSE_CLEAN,
>> null);
> 
> Possible DOS by spamming the log file?
> 
> I suppose you can DOS by filling the access log, too :/

How? This is AJP.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to