Author: rjung
Date: Fri Jun 22 10:17:40 2007
New Revision: 549885
URL: http://svn.apache.org/viewvc?view=rev&rev=549885
Log:
New option RejectUnsafeURI (Apache),
resp. reject_unsafe (IIS, Netscape)
This will block all URLs, which contain percent signs '%'
or backslashes '\' after URL decoding.
Most web apps do not use such URLs. Using the option, one
can block several well known URL encoding attacks.
By default, this option is not set.
For Apache httpd one could also realize such a check with
mod_rewrite, which is more powerful. Our method works for all
supported web servers.
Modified:
tomcat/connectors/trunk/jk/native/apache-1.3/mod_jk.c
tomcat/connectors/trunk/jk/native/apache-2.0/mod_jk.c
tomcat/connectors/trunk/jk/native/common/jk_global.h
tomcat/connectors/trunk/jk/native/common/jk_uri_worker_map.c
tomcat/connectors/trunk/jk/native/common/jk_uri_worker_map.h
tomcat/connectors/trunk/jk/native/iis/jk_isapi_plugin.c
tomcat/connectors/trunk/jk/native/netscape/jk_nsapi_plugin.c
tomcat/connectors/trunk/jk/xdocs/miscellaneous/changelog.xml
tomcat/connectors/trunk/jk/xdocs/reference/apache.xml
tomcat/connectors/trunk/jk/xdocs/reference/iis.xml
tomcat/connectors/trunk/jk/xdocs/webserver_howto/apache.xml
Modified: tomcat/connectors/trunk/jk/native/apache-1.3/mod_jk.c
URL:
http://svn.apache.org/viewvc/tomcat/connectors/trunk/jk/native/apache-1.3/mod_jk.c?view=diff&rev=549885&r1=549884&r2=549885
==============================================================================
--- tomcat/connectors/trunk/jk/native/apache-1.3/mod_jk.c (original)
+++ tomcat/connectors/trunk/jk/native/apache-1.3/mod_jk.c Fri Jun 22 10:17:40
2007
@@ -1759,6 +1759,9 @@
else if (!strcasecmp(w, "ForwardKeySize")) {
opt = JK_OPT_FWDKEYSIZE;
}
+ else if (!strcasecmp(w, "RejectUnsafeURI")) {
+ opt = JK_OPT_REJECTUNSAFE;
+ }
else
return ap_pstrcat(cmd->pool, "JkOptions: Illegal option '", w,
"'", NULL);
@@ -1857,7 +1860,6 @@
/*
* JkAutoMount specifies that the list of handled URLs must be
- * JkAutoMount specifies that the list of handled URLs must be
* asked to the servlet engine (autoconf feature)
*/
{"JkAutoMount", jk_automount_context, NULL, RSRC_CONF, TAKE12,
@@ -2531,10 +2533,15 @@
&jk_module);
open_jk_log(srv, p);
if (sconf) {
+ sconf->options &= ~sconf->exclude_options;
if (!uri_worker_map_alloc(&(sconf->uw_map),
sconf->uri_to_context, sconf->log))
jk_error_exit(APLOG_MARK, APLOG_EMERG, srv,
p, "Memory error");
+ if (sconf->options & JK_OPT_REJECTUNSAFE)
+ sconf->uw_map->reject_unsafe = 1;
+ else
+ sconf->uw_map->reject_unsafe = 0;
if (sconf->mount_file) {
sconf->uw_map->fname = sconf->mount_file;
sconf->uw_map->reload = sconf->mount_file_reload;
@@ -2547,7 +2554,6 @@
ap_log_error(APLOG_MARK, APLOG_ERR, srv,
"JkRequestLogFormat format array NULL");
}
- sconf->options &= ~sconf->exclude_options;
if (sconf->envvars_in_use) {
int i;
const array_header *arr;
Modified: tomcat/connectors/trunk/jk/native/apache-2.0/mod_jk.c
URL:
http://svn.apache.org/viewvc/tomcat/connectors/trunk/jk/native/apache-2.0/mod_jk.c?view=diff&rev=549885&r1=549884&r2=549885
==============================================================================
--- tomcat/connectors/trunk/jk/native/apache-2.0/mod_jk.c (original)
+++ tomcat/connectors/trunk/jk/native/apache-2.0/mod_jk.c Fri Jun 22 10:17:40
2007
@@ -1790,6 +1790,9 @@
else if (!strcasecmp(w, "ForwardKeySize")) {
opt = JK_OPT_FWDKEYSIZE;
}
+ else if (!strcasecmp(w, "RejectUnsafeURI")) {
+ opt = JK_OPT_REJECTUNSAFE;
+ }
else
return apr_pstrcat(cmd->pool, "JkOptions: Illegal option '", w,
"'", NULL);
@@ -2825,10 +2828,15 @@
if (open_jklog(srv, pconf))
return HTTP_INTERNAL_SERVER_ERROR;
if (sconf) {
+ sconf->options &= ~sconf->exclude_options;
if (!uri_worker_map_alloc(&(sconf->uw_map),
sconf->uri_to_context,
sconf->log))
jk_error_exit(APLOG_MARK, APLOG_EMERG, srv,
srv->process->pool, "Memory error");
+ if (sconf->options & JK_OPT_REJECTUNSAFE)
+ sconf->uw_map->reject_unsafe = 1;
+ else
+ sconf->uw_map->reject_unsafe = 0;
if (sconf->mount_file) {
sconf->uw_map->fname = sconf->mount_file;
sconf->uw_map->reload = sconf->mount_file_reload;
@@ -2841,7 +2849,6 @@
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
"JkRequestLogFormat format array
NULL");
}
- sconf->options &= ~sconf->exclude_options;
if (sconf->envvars_in_use) {
int i;
const apr_array_header_t *arr;
Modified: tomcat/connectors/trunk/jk/native/common/jk_global.h
URL:
http://svn.apache.org/viewvc/tomcat/connectors/trunk/jk/native/common/jk_global.h?view=diff&rev=549885&r1=549884&r2=549885
==============================================================================
--- tomcat/connectors/trunk/jk/native/common/jk_global.h (original)
+++ tomcat/connectors/trunk/jk/native/common/jk_global.h Fri Jun 22 10:17:40
2007
@@ -245,6 +245,7 @@
#define JK_OPT_DISABLEREUSE 0x0080
#define JK_OPT_FWDCERTCHAIN 0x0100
#define JK_OPT_FWDKEYSIZE 0x0200
+#define JK_OPT_REJECTUNSAFE 0x0400
/* Check for EBCDIC systems */
Modified: tomcat/connectors/trunk/jk/native/common/jk_uri_worker_map.c
URL:
http://svn.apache.org/viewvc/tomcat/connectors/trunk/jk/native/common/jk_uri_worker_map.c?view=diff&rev=549885&r1=549884&r2=549885
==============================================================================
--- tomcat/connectors/trunk/jk/native/common/jk_uri_worker_map.c (original)
+++ tomcat/connectors/trunk/jk/native/common/jk_uri_worker_map.c Fri Jun 22
10:17:40 2007
@@ -535,6 +535,7 @@
const char *uri, jk_logger_t *l)
{
unsigned int i;
+ int reject_unsafe;
const char *rv = NULL;
char url[JK_MAX_URI_LEN+1];
@@ -564,6 +565,7 @@
/* Make the copy of the provided uri and strip
* everything after the first ';' char.
*/
+ reject_unsafe = uw_map->reject_unsafe;
for (i = 0; i < strlen(uri); i++) {
if (i == JK_MAX_URI_LEN) {
jk_log(l, JK_LOG_WARNING,
@@ -574,15 +576,21 @@
}
if (uri[i] == ';')
break;
- else
+ else {
url[i] = uri[i];
+ if (reject_unsafe && (url[i] == '%' || url[i] == '\\')) {
+ jk_log(l, JK_LOG_INFO, "Potentially unsafe request url '%s'
rejected", uri);
+ JK_TRACE_EXIT(l);
+ return NULL;
+ }
+ }
}
url[i] = '\0';
if (JK_IS_DEBUG_LEVEL(l)) {
char *url_rewrite = strstr(uri, JK_PATH_SESSION_IDENTIFIER);
if (url_rewrite)
- jk_log(l, JK_LOG_DEBUG, "separating session identifier '%s' from
url '%s'",
+ jk_log(l, JK_LOG_DEBUG, "Found session identifier '%s' in url
'%s'",
url_rewrite, uri);
}
if (JK_IS_DEBUG_LEVEL(l))
Modified: tomcat/connectors/trunk/jk/native/common/jk_uri_worker_map.h
URL:
http://svn.apache.org/viewvc/tomcat/connectors/trunk/jk/native/common/jk_uri_worker_map.h?view=diff&rev=549885&r1=549884&r2=549885
==============================================================================
--- tomcat/connectors/trunk/jk/native/common/jk_uri_worker_map.h (original)
+++ tomcat/connectors/trunk/jk/native/common/jk_uri_worker_map.h Fri Jun 22
10:17:40 2007
@@ -111,6 +111,8 @@
/* Dynamic config support */
JK_CRIT_SEC cs;
+ /* should we forward potentially unsafe URLs */
+ int reject_unsafe;
/* uriworkermap filename */
const char *fname;
/* uriworkermap reload check interval */
Modified: tomcat/connectors/trunk/jk/native/iis/jk_isapi_plugin.c
URL:
http://svn.apache.org/viewvc/tomcat/connectors/trunk/jk/native/iis/jk_isapi_plugin.c?view=diff&rev=549885&r1=549884&r2=549885
==============================================================================
--- tomcat/connectors/trunk/jk/native/iis/jk_isapi_plugin.c (original)
+++ tomcat/connectors/trunk/jk/native/iis/jk_isapi_plugin.c Fri Jun 22 10:17:40
2007
@@ -101,6 +101,7 @@
#define WORKER_MOUNT_RELOAD_TAG ("worker_mount_reload")
#define STRIP_SESSION_TAG ("strip_session")
#define AUTH_COMPLETE_TAG ("auth_complete")
+#define REJECT_UNSAFE_TAG ("reject_unsafe")
#define TRANSLATE_HEADER ("Translate:")
@@ -194,6 +195,7 @@
static int strip_session = 0;
static DWORD auth_notification_flags = 0;
static int use_auth_notification_flags = 1;
+static int reject_unsafe = 0;
#define URI_SELECT_OPT_PARSED 0
#define URI_SELECT_OPT_UNPARSED 1
@@ -1730,6 +1732,10 @@
if (uri_worker_map_alloc(&uw_map, NULL, logger)) {
rc = JK_FALSE;
+ if (reject_unsafe)
+ uw_map->reject_unsafe = 1;
+ else
+ uw_map->reject_unsafe = 0;
uw_map->fname = worker_mount_file;
uw_map->reload = worker_mount_reload;
if (worker_mount_file[0])
@@ -1849,6 +1855,7 @@
worker_mount_reload = get_config_int(src, WORKER_MOUNT_RELOAD_TAG,
JK_URIMAP_DEF_RELOAD);
strip_session = get_config_bool(src, STRIP_SESSION_TAG, JK_FALSE);
use_auth_notification_flags = get_config_int(src, AUTH_COMPLETE_TAG, 1);
+ reject_unsafe = get_config_bool(src, REJECT_UNSAFE_TAG, JK_FALSE);
if (using_ini_file) {
jk_map_free(&map);
}
Modified: tomcat/connectors/trunk/jk/native/netscape/jk_nsapi_plugin.c
URL:
http://svn.apache.org/viewvc/tomcat/connectors/trunk/jk/native/netscape/jk_nsapi_plugin.c?view=diff&rev=549885&r1=549884&r2=549885
==============================================================================
--- tomcat/connectors/trunk/jk/native/netscape/jk_nsapi_plugin.c (original)
+++ tomcat/connectors/trunk/jk/native/netscape/jk_nsapi_plugin.c Fri Jun 22
10:17:40 2007
@@ -33,6 +33,7 @@
#define URI_PATTERN "path"
#define DEFAULT_WORKER_NAME ("ajp13")
+#define REJECT_UNSAFE_TAG ("reject_unsafe")
#define STRNULL_FOR_NULL(x) ((x) ? (x) : "(null)")
@@ -95,6 +96,7 @@
if (uri_worker_map_alloc(&uw_map, NULL, logger)) {
uw_map->fname = "";
uw_map->reload = JK_URIMAP_DEF_RELOAD;
+ uw_map->reject_unsafe = jk_map_get_bool(init_map, "worker."
REJECT_UNSAFE_TAG, JK_FALSE);
worker_env.uri_to_worker = uw_map;
if (wc_open(init_map, &worker_env, logger)) {
init_on_other_thread_is_ok = JK_TRUE;
@@ -227,6 +229,7 @@
char *log_level_str = pblock_findval(JK_LOG_LEVEL_TAG, pb);
char *log_file = pblock_findval(JK_LOG_FILE_TAG, pb);
char *shm_file = pblock_findval(JK_SHM_FILE_TAG, pb);
+ char *reject_unsafe = pblock_findval(JK_REJECT_UNSAFE_TAG, pb);
int rc = REQ_ABORTED;
@@ -269,6 +272,7 @@
jk_log(logger, JK_LOG_ERROR, "Error in resolving configuration
references");
}
+ jk_map_add(init_map, "worker." REJECT_UNSAFE_TAG, reject_unsafe);
s = systhread_start(SYSTHREAD_DEFAULT_PRIORITY,
0, init_workers_on_other_threads, init_map);
for (sleep_cnt = 0; sleep_cnt < 60; sleep_cnt++) {
Modified: tomcat/connectors/trunk/jk/xdocs/miscellaneous/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/connectors/trunk/jk/xdocs/miscellaneous/changelog.xml?view=diff&rev=549885&r1=549884&r2=549885
==============================================================================
--- tomcat/connectors/trunk/jk/xdocs/miscellaneous/changelog.xml (original)
+++ tomcat/connectors/trunk/jk/xdocs/miscellaneous/changelog.xml Fri Jun 22
10:17:40 2007
@@ -28,6 +28,10 @@
<subsection name="Native">
<changelog>
<update>
+ Common/Apache/IIS/Netscape: Add an option to check decoded URLs for
+ potentially malicious constructions. (rjung)
+ </update>
+ <update>
IIS: Document auth_complete and uri_select. (rjung)
</update>
<update>
Modified: tomcat/connectors/trunk/jk/xdocs/reference/apache.xml
URL:
http://svn.apache.org/viewvc/tomcat/connectors/trunk/jk/xdocs/reference/apache.xml?view=diff&rev=549885&r1=549884&r2=549885
==============================================================================
--- tomcat/connectors/trunk/jk/xdocs/reference/apache.xml (original)
+++ tomcat/connectors/trunk/jk/xdocs/reference/apache.xml Fri Jun 22 10:17:40
2007
@@ -514,6 +514,30 @@
</p>
<p>
+JkOptions <b>RejectUnsafeURI</b> will block all
+URLs, which contain percent signs '%' or backslashes '\'
+after decoding.
+<br/>
+<br/>
+</p>
+<p>
+Most web apps do not use such URLs. Using the option RejectUnsafeURI, you
+can block several well known URL encoding attacks. By default, this option
+is not set.
+</p>
+<p>
+You can also realize such a check with mod_rewrite, which is more powerful
+but also slightly more complicated.
+
+<source>
+ JkOptions +RejectUnsafeURI
+</source>
+
+<br/>
+<br/>
+</p>
+
+<p>
JkOptions <b>ForwardDirectories</b> is used in conjunction with
<b>DirectoryIndex</b>
directive of Apache web server. As such mod_dir should be available to Apache,
statically or dynamically (DSO)
@@ -535,7 +559,7 @@
</p>
<p>
-If ForwarDirectories is set to true and Apache doesn't find any files that
+If ForwardDirectories is set to true and Apache doesn't find any files that
match, the request will be forwarded to Tomcat for resolution. This is used in
cases when Apache cannot see the index files on the file system for various
reasons: Tomcat is running on a different machine, the JSP file has been
Modified: tomcat/connectors/trunk/jk/xdocs/reference/iis.xml
URL:
http://svn.apache.org/viewvc/tomcat/connectors/trunk/jk/xdocs/reference/iis.xml?view=diff&rev=549885&r1=549884&r2=549885
==============================================================================
--- tomcat/connectors/trunk/jk/xdocs/reference/iis.xml (original)
+++ tomcat/connectors/trunk/jk/xdocs/reference/iis.xml Fri Jun 22 10:17:40 2007
@@ -93,6 +93,8 @@
A string value representing a boolean. If it is set to true,
URL session suffixes of the form ";jsessionid=..." get stripped of URLs,
even if the are served locally by the web server.
+</p>
+<p>
A true value can be represented by the string "1" or any string starting
with the letters "T" or "t". A false value will be assumed for "0"
or any string starting with "F" or "f". The default value is false.
@@ -142,7 +144,22 @@
</p>
<p>The default value since version 1.2.24 is "proxy". Before it was
"parsed".</p>
</attribute>
+<attribute name="reject_unsafe" required="false"><p>
+A string value representing a boolean. If it is set to true,
+URLs containing percent signs '%' or backslashes '\'
+after decoding will be rejected.
+</p>
+<p>
+Most web apps do not use such URLs. By enabling "reject_unsafe" you
+can block several well known URL encoding attacks.
+</p>
<p>
+A true value can be represented by the string "1" or any string starting
+with the letters "T" or "t". A false value will be assumed for "0"
+or any string starting with "F" or "f". The default value is false.
+</p>
+<p>This directive has been added in version 1.2.24</p>
+</attribute>
</attributes>
</section>
<section name="Using a properties file for configuration">
Modified: tomcat/connectors/trunk/jk/xdocs/webserver_howto/apache.xml
URL:
http://svn.apache.org/viewvc/tomcat/connectors/trunk/jk/xdocs/webserver_howto/apache.xml?view=diff&rev=549885&r1=549884&r2=549885
==============================================================================
--- tomcat/connectors/trunk/jk/xdocs/webserver_howto/apache.xml (original)
+++ tomcat/connectors/trunk/jk/xdocs/webserver_howto/apache.xml Fri Jun 22
10:17:40 2007
@@ -545,6 +545,30 @@
</p>
<p>
+JkOptions <b>RejectUnsafeURI</b> will block all
+URLs, which contain percent signs '%' or backslashes '\'
+after decoding.
+<br/>
+<br/>
+</p>
+<p>
+Most web apps do not use such URLs. Using the option RejectUnsafeURI, you
+can block several well known URL encoding attacks. By default, this option
+is not set.
+</p>
+<p>
+You can also realize such a check with mod_rewrite, which is more powerful
+but also slightly more complicated.
+
+<source>
+ JkOptions +RejectUnsafeURI
+</source>
+
+<br/>
+<br/>
+</p>
+
+<p>
JkOptions <b>ForwardDirectories</b> is used in conjunction with
<b>DirectoryIndex</b>
directive of Apache web server. As such mod_dir should be available to Apache,
statically or dynamically (DSO)
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
