On Wed, Jan 20, 2016 at 09:58:23AM -0600, Endi Sukma Dewata wrote: > On 1/19/2016 12:06 AM, Fraser Tweedale wrote: > >Updated patch attached; comments inline. > > > >On Mon, Jan 11, 2016 at 01:11:24PM -0600, Endi Sukma Dewata wrote: > >>On 11/4/2015 11:22 PM, Fraser Tweedale wrote: > >>>The attached patch fixes GET-based OCSP requests, > >>>https://fedorahosted.org/pki/ticket/1658 > >>> > >>>Cheers, > >>>Fraser > >> > >>Some comments: > >> > >>1. The ALLOW_ENCODED_SLASH parameter will fix the problem, but there's a > >>security concern: > >> > >>http://tomcat.apache.org/tomcat-7.0-doc/security-howto.html > >> > >>The org.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH and > >>org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH system properties > >>allow non-standard parsing of the request URI. Using these options when > >>behind a reverse proxy may enable an attacker to bypass any security > >>constraints enforced by the proxy. > >> > >>However, since we are not dependent on a proxy to protect PKI pages in > >>Tomcat (we have our own ACL in PKI) I suppose this is not an issue, unless > >>anybody else has a concern. > >> > >I do not see a vulnerability - AFAICT the vulnerability was from > >proxies enforcing path-based access control but parsed path > >differently, which as you point out is not our situation. Hopefully > >we are not overlooking something. > > > >>2. I think the catalina.properties that needs to be modified is in > >>base/server/share/conf. The others are duplicates that should've been > >>removed. > >> > >Patch updated. I'll send another patch removing the obsolete > >catalina.properties files soon. > > > >>3. During deployment the catalina.properties is copied into <instance > >>dir>/conf. So if we want to fix existing instances we need to write an > >>upgrade script. > >> > >Added an upgrade script. > > > >Thanks for reviewing! > >Fraser > > > > ACK. > Thanks; pushed to master:
cbcdeddc2e794be3955edf20ea1597e58c443ba6 Allow encoded slashes in HTTP paths _______________________________________________ Pki-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/pki-devel
