[jira] [Commented] (TS-1981) Url remap method filtering is broken with invalid method

Tue, 08 Oct 2013 22:35:08 -0700 

    [ 
https://issues.apache.org/jira/browse/TS-1981?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13790043#comment-13790043
 ] 

Thach Tran commented on TS-1981:
--------------------------------

I revisited this just now and updated my patch per Alan comment.

I do agree that the original code is very confusing but after looking at it 
closely, I think it works as expected.
Matching does have an effect; if the rule matches, client_enabled is set based 
on allow_flag while if it doesn't match, client_enabled is set based on *the 
invert* of allow_flag.
On the other hand, you're right that the loop should stop as soon as 
client_enabled is false as there's no point in trying to match the remaining 
rules if it continues to deny given that a previous rule has denied.

I have refactored that bit of code slightly to hopefully make the logic 
clearer. Could you give that a try and see if it's any better.

> Url remap method filtering is broken with invalid method
> --------------------------------------------------------
>
>                 Key: TS-1981
>                 URL: https://issues.apache.org/jira/browse/TS-1981
>             Project: Traffic Server
>          Issue Type: Bug
>          Components: Configuration, Security
>            Reporter: Thach Tran
>            Assignee: Alan M. Carroll
>             Fix For: 4.2.0
>
>         Attachments: 
> 0001-TS-1981-Fix-method-filtering-to-deny-invalid-methods.patch, 
> updated-TS-1981.patch
>
>
> ACL filtering based on HTTP's method is ignored if method received from 
> client is invalid.
> To reproduce, with the default 8080 {{server_ports}} configure the 
> {{remap.conf}} as follows.
> {noformat}
> map http://localhost:8080/ http://www.google.com/ @method=GET
> {noformat}
> Then run the following curl command.
> {noformat}
> $ curl -v -X AAAAAA http://localhost:8080/
> {noformat}
> Notice that a 200 OK response is received by the client with some (empty) 
> HTML from google.com.
> If the following curl command is issued instead
> {noformat}
> $ curl -v -X PUT http://localhost:8080/
> {noformat}
> One will see that TS sends back a 403 Access Denied as expected.



--
This message was sent by Atlassian JIRA
(v6.1#6144)

Reply via email to