On 02/06/2020 16:37, Christopher Schultz wrote: > Mark, > > On 6/2/20 06:24, ma...@apache.org wrote: >> This is an automated email from the ASF dual-hosted git >> repository. > >> markt pushed a commit to branch master in repository >> https://gitbox.apache.org/repos/asf/tomcat.git > > >> The following commit(s) were added to refs/heads/master by this >> push: new 186aae3 Fix BZ 64483 Log a warning when an AJP request >> is rejected 186aae3 is described below > >> commit 186aae31791ea120cf1b4ddd2f9fcb974bd1d5f9 Author: Mark Thomas >> <ma...@apache.org> AuthorDate: Tue Jun 2 11:22:35 2020 +0100 > >> Fix BZ 64483 Log a warning when an AJP request is rejected --- >> java/org/apache/coyote/ajp/AjpProcessor.java | 14 >> ++++---------- java/org/apache/coyote/ajp/LocalStrings.properties | >> 1 + webapps/docs/changelog.xml | 4 ++++ 3 >> files changed, 9 insertions(+), 10 deletions(-) > >> diff --git a/java/org/apache/coyote/ajp/AjpProcessor.java >> b/java/org/apache/coyote/ajp/AjpProcessor.java index >> d24a818..77d6a94 100644 --- >> a/java/org/apache/coyote/ajp/AjpProcessor.java +++ >> b/java/org/apache/coyote/ajp/AjpProcessor.java @@ -30,7 +30,6 @@ >> import java.util.HashMap; import java.util.HashSet; import >> java.util.Map; import java.util.Set; -import >> java.util.regex.Matcher; import java.util.regex.Pattern; > >> import jakarta.servlet.http.HttpServletResponse; @@ -779,17 +778,12 >> @@ public class AjpProcessor extends AbstractProcessor { // All >> 'known' attributes will be processed by the previous // blocks. Any >> remaining attribute is an 'arbitrary' one. Pattern pattern = >> protocol.getAllowedRequestAttributesPatternInternal(); - >> if (pattern == null) { + if (pattern != null && >> pattern.matcher(n).matches()) { + >> request.setAttribute(n, v); + } else { + >> log.warn(sm.getString("ajpprocessor.unknownAttribute", n)); >> response.setStatus(403); setErrorState(ErrorState.CLOSE_CLEAN, >> null); > > Possible DOS by spamming the log file? > > I suppose you can DOS by filling the access log, too :/
How? This is AJP. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org