[jira] [Commented] (TS-1981) Url remap method filtering is broken with invalid method
[
https://issues.apache.org/jira/browse/TS-1981?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14036673#comment-14036673
]
ASF subversion and git services commented on TS-1981:
-
Commit ee8a4b18ea78e9bb9c2da3d1d7f92860dc7c8b28 in trafficserver's branch
refs/heads/4.2.x from [~briang]
[ https://git-wip-us.apache.org/repos/asf?p=trafficserver.git;h=ee8a4b1 ]
[TS-1981] Adding arbitrary methods to url remap, and fix the same problem in
IpAllow (not cherrypicked, applied via patch built for 4.2.x)
> Url remap method filtering is broken with invalid method
>
>
> Key: TS-1981
> URL: https://issues.apache.org/jira/browse/TS-1981
> Project: Traffic Server
> Issue Type: Bug
> Components: Configuration, Security
>Reporter: Thach Tran
>Assignee: Brian Geffon
> Labels: review
> Fix For: 5.0.0
>
> Attachments:
> 0001-TS-1981-Fix-method-filtering-to-deny-invalid-methods.patch,
> updated-TS-1981.patch
>
>
> ACL filtering based on HTTP's method is ignored if method received from
> client is invalid.
> To reproduce, with the default 8080 {{server_ports}} configure the
> {{remap.conf}} as follows.
> {noformat}
> map http://localhost:8080/ http://www.google.com/ @method=GET
> {noformat}
> Then run the following curl command.
> {noformat}
> $ curl -v -X AA http://localhost:8080/
> {noformat}
> Notice that a 200 OK response is received by the client with some (empty)
> HTML from google.com.
> If the following curl command is issued instead
> {noformat}
> $ curl -v -X PUT http://localhost:8080/
> {noformat}
> One will see that TS sends back a 403 Access Denied as expected.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
[jira] [Commented] (TS-1981) Url remap method filtering is broken with invalid method
[
https://issues.apache.org/jira/browse/TS-1981?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14014271#comment-14014271
]
ASF subversion and git services commented on TS-1981:
-
Commit 0094d4b11091bba7496b19445c380ccb2443cda0 in trafficserver's branch
refs/heads/5.0.x from [~briang]
[ https://git-wip-us.apache.org/repos/asf?p=trafficserver.git;h=0094d4b ]
[TS-1981] Adding arbitrary methods to url remap, and fix the same problem in
IpAllow
> Url remap method filtering is broken with invalid method
>
>
> Key: TS-1981
> URL: https://issues.apache.org/jira/browse/TS-1981
> Project: Traffic Server
> Issue Type: Bug
> Components: Configuration, Security
>Reporter: Thach Tran
>Assignee: Brian Geffon
> Labels: review
> Fix For: 5.0.0
>
> Attachments:
> 0001-TS-1981-Fix-method-filtering-to-deny-invalid-methods.patch,
> updated-TS-1981.patch
>
>
> ACL filtering based on HTTP's method is ignored if method received from
> client is invalid.
> To reproduce, with the default 8080 {{server_ports}} configure the
> {{remap.conf}} as follows.
> {noformat}
> map http://localhost:8080/ http://www.google.com/ @method=GET
> {noformat}
> Then run the following curl command.
> {noformat}
> $ curl -v -X AA http://localhost:8080/
> {noformat}
> Notice that a 200 OK response is received by the client with some (empty)
> HTML from google.com.
> If the following curl command is issued instead
> {noformat}
> $ curl -v -X PUT http://localhost:8080/
> {noformat}
> One will see that TS sends back a 403 Access Denied as expected.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
[jira] [Commented] (TS-1981) Url remap method filtering is broken with invalid method
[
https://issues.apache.org/jira/browse/TS-1981?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14014272#comment-14014272
]
ASF subversion and git services commented on TS-1981:
-
Commit 3b817bc8f61530e554f512f39459ded8d6557852 in trafficserver's branch
refs/heads/5.0.x from [~briang]
[ https://git-wip-us.apache.org/repos/asf?p=trafficserver.git;h=3b817bc ]
TS-1981 Url Remap method filter is broken
> Url remap method filtering is broken with invalid method
>
>
> Key: TS-1981
> URL: https://issues.apache.org/jira/browse/TS-1981
> Project: Traffic Server
> Issue Type: Bug
> Components: Configuration, Security
>Reporter: Thach Tran
>Assignee: Brian Geffon
> Labels: review
> Fix For: 5.0.0
>
> Attachments:
> 0001-TS-1981-Fix-method-filtering-to-deny-invalid-methods.patch,
> updated-TS-1981.patch
>
>
> ACL filtering based on HTTP's method is ignored if method received from
> client is invalid.
> To reproduce, with the default 8080 {{server_ports}} configure the
> {{remap.conf}} as follows.
> {noformat}
> map http://localhost:8080/ http://www.google.com/ @method=GET
> {noformat}
> Then run the following curl command.
> {noformat}
> $ curl -v -X AA http://localhost:8080/
> {noformat}
> Notice that a 200 OK response is received by the client with some (empty)
> HTML from google.com.
> If the following curl command is issued instead
> {noformat}
> $ curl -v -X PUT http://localhost:8080/
> {noformat}
> One will see that TS sends back a 403 Access Denied as expected.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
[jira] [Commented] (TS-1981) Url remap method filtering is broken with invalid method
[
https://issues.apache.org/jira/browse/TS-1981?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14014273#comment-14014273
]
ASF subversion and git services commented on TS-1981:
-
Commit 9b3adb70e06a37a0f59dc8391bcffa7526f6a249 in trafficserver's branch
refs/heads/5.0.x from [~briang]
[ https://git-wip-us.apache.org/repos/asf?p=trafficserver.git;h=9b3adb7 ]
TS-1981 Url Remap method filter is broken
> Url remap method filtering is broken with invalid method
>
>
> Key: TS-1981
> URL: https://issues.apache.org/jira/browse/TS-1981
> Project: Traffic Server
> Issue Type: Bug
> Components: Configuration, Security
>Reporter: Thach Tran
>Assignee: Brian Geffon
> Labels: review
> Fix For: 5.0.0
>
> Attachments:
> 0001-TS-1981-Fix-method-filtering-to-deny-invalid-methods.patch,
> updated-TS-1981.patch
>
>
> ACL filtering based on HTTP's method is ignored if method received from
> client is invalid.
> To reproduce, with the default 8080 {{server_ports}} configure the
> {{remap.conf}} as follows.
> {noformat}
> map http://localhost:8080/ http://www.google.com/ @method=GET
> {noformat}
> Then run the following curl command.
> {noformat}
> $ curl -v -X AA http://localhost:8080/
> {noformat}
> Notice that a 200 OK response is received by the client with some (empty)
> HTML from google.com.
> If the following curl command is issued instead
> {noformat}
> $ curl -v -X PUT http://localhost:8080/
> {noformat}
> One will see that TS sends back a 403 Access Denied as expected.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
[jira] [Commented] (TS-1981) Url remap method filtering is broken with invalid method
[
https://issues.apache.org/jira/browse/TS-1981?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14014215#comment-14014215
]
ASF subversion and git services commented on TS-1981:
-
Commit 3e818112374b5ea4e2d92fb2292bc16a7fdc01ae in trafficserver's branch
refs/heads/5.0.x from [~thachtran]
[ https://git-wip-us.apache.org/repos/asf?p=trafficserver.git;h=3e81811 ]
TS-1981 Url remap method filtering is broken with invalid method.
> Url remap method filtering is broken with invalid method
>
>
> Key: TS-1981
> URL: https://issues.apache.org/jira/browse/TS-1981
> Project: Traffic Server
> Issue Type: Bug
> Components: Configuration, Security
>Reporter: Thach Tran
>Assignee: Brian Geffon
> Labels: review
> Fix For: 5.0.0
>
> Attachments:
> 0001-TS-1981-Fix-method-filtering-to-deny-invalid-methods.patch,
> updated-TS-1981.patch
>
>
> ACL filtering based on HTTP's method is ignored if method received from
> client is invalid.
> To reproduce, with the default 8080 {{server_ports}} configure the
> {{remap.conf}} as follows.
> {noformat}
> map http://localhost:8080/ http://www.google.com/ @method=GET
> {noformat}
> Then run the following curl command.
> {noformat}
> $ curl -v -X AA http://localhost:8080/
> {noformat}
> Notice that a 200 OK response is received by the client with some (empty)
> HTML from google.com.
> If the following curl command is issued instead
> {noformat}
> $ curl -v -X PUT http://localhost:8080/
> {noformat}
> One will see that TS sends back a 403 Access Denied as expected.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
[jira] [Commented] (TS-1981) Url remap method filtering is broken with invalid method
[
https://issues.apache.org/jira/browse/TS-1981?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14014201#comment-14014201
]
Brian Geffon commented on TS-1981:
--
The latest commit will also solve this same issue in IPAllow, closing.
> Url remap method filtering is broken with invalid method
>
>
> Key: TS-1981
> URL: https://issues.apache.org/jira/browse/TS-1981
> Project: Traffic Server
> Issue Type: Bug
> Components: Configuration, Security
>Reporter: Thach Tran
>Assignee: Brian Geffon
> Labels: review
> Fix For: 5.0.0
>
> Attachments:
> 0001-TS-1981-Fix-method-filtering-to-deny-invalid-methods.patch,
> updated-TS-1981.patch
>
>
> ACL filtering based on HTTP's method is ignored if method received from
> client is invalid.
> To reproduce, with the default 8080 {{server_ports}} configure the
> {{remap.conf}} as follows.
> {noformat}
> map http://localhost:8080/ http://www.google.com/ @method=GET
> {noformat}
> Then run the following curl command.
> {noformat}
> $ curl -v -X AA http://localhost:8080/
> {noformat}
> Notice that a 200 OK response is received by the client with some (empty)
> HTML from google.com.
> If the following curl command is issued instead
> {noformat}
> $ curl -v -X PUT http://localhost:8080/
> {noformat}
> One will see that TS sends back a 403 Access Denied as expected.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
[jira] [Commented] (TS-1981) Url remap method filtering is broken with invalid method
[
https://issues.apache.org/jira/browse/TS-1981?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14014195#comment-14014195
]
ASF subversion and git services commented on TS-1981:
-
Commit 0094d4b11091bba7496b19445c380ccb2443cda0 in trafficserver's branch
refs/heads/master from [~briang]
[ https://git-wip-us.apache.org/repos/asf?p=trafficserver.git;h=0094d4b ]
[TS-1981] Adding arbitrary methods to url remap, and fix the same problem in
IpAllow
> Url remap method filtering is broken with invalid method
>
>
> Key: TS-1981
> URL: https://issues.apache.org/jira/browse/TS-1981
> Project: Traffic Server
> Issue Type: Bug
> Components: Configuration, Security
>Reporter: Thach Tran
>Assignee: Brian Geffon
> Labels: review
> Fix For: 5.0.0
>
> Attachments:
> 0001-TS-1981-Fix-method-filtering-to-deny-invalid-methods.patch,
> updated-TS-1981.patch
>
>
> ACL filtering based on HTTP's method is ignored if method received from
> client is invalid.
> To reproduce, with the default 8080 {{server_ports}} configure the
> {{remap.conf}} as follows.
> {noformat}
> map http://localhost:8080/ http://www.google.com/ @method=GET
> {noformat}
> Then run the following curl command.
> {noformat}
> $ curl -v -X AA http://localhost:8080/
> {noformat}
> Notice that a 200 OK response is received by the client with some (empty)
> HTML from google.com.
> If the following curl command is issued instead
> {noformat}
> $ curl -v -X PUT http://localhost:8080/
> {noformat}
> One will see that TS sends back a 403 Access Denied as expected.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
[jira] [Commented] (TS-1981) Url remap method filtering is broken with invalid method
[
https://issues.apache.org/jira/browse/TS-1981?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14014197#comment-14014197
]
ASF subversion and git services commented on TS-1981:
-
Commit 9b3adb70e06a37a0f59dc8391bcffa7526f6a249 in trafficserver's branch
refs/heads/master from [~briang]
[ https://git-wip-us.apache.org/repos/asf?p=trafficserver.git;h=9b3adb7 ]
TS-1981 Url Remap method filter is broken
> Url remap method filtering is broken with invalid method
>
>
> Key: TS-1981
> URL: https://issues.apache.org/jira/browse/TS-1981
> Project: Traffic Server
> Issue Type: Bug
> Components: Configuration, Security
>Reporter: Thach Tran
>Assignee: Brian Geffon
> Labels: review
> Fix For: 5.0.0
>
> Attachments:
> 0001-TS-1981-Fix-method-filtering-to-deny-invalid-methods.patch,
> updated-TS-1981.patch
>
>
> ACL filtering based on HTTP's method is ignored if method received from
> client is invalid.
> To reproduce, with the default 8080 {{server_ports}} configure the
> {{remap.conf}} as follows.
> {noformat}
> map http://localhost:8080/ http://www.google.com/ @method=GET
> {noformat}
> Then run the following curl command.
> {noformat}
> $ curl -v -X AA http://localhost:8080/
> {noformat}
> Notice that a 200 OK response is received by the client with some (empty)
> HTML from google.com.
> If the following curl command is issued instead
> {noformat}
> $ curl -v -X PUT http://localhost:8080/
> {noformat}
> One will see that TS sends back a 403 Access Denied as expected.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
[jira] [Commented] (TS-1981) Url remap method filtering is broken with invalid method
[
https://issues.apache.org/jira/browse/TS-1981?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14014194#comment-14014194
]
ASF subversion and git services commented on TS-1981:
-
Commit 923269b6132aa81427772aa99c9a70dd535de17a in trafficserver's branch
refs/heads/master from [~briang]
[ https://git-wip-us.apache.org/repos/asf?p=trafficserver.git;h=923269b ]
Revert "TS-1981 Url remap method filtering is broken with invalid method."
This reverts commit 3e818112374b5ea4e2d92fb2292bc16a7fdc01ae.
Conflicts:
CHANGES
> Url remap method filtering is broken with invalid method
>
>
> Key: TS-1981
> URL: https://issues.apache.org/jira/browse/TS-1981
> Project: Traffic Server
> Issue Type: Bug
> Components: Configuration, Security
>Reporter: Thach Tran
>Assignee: Brian Geffon
> Labels: review
> Fix For: 5.0.0
>
> Attachments:
> 0001-TS-1981-Fix-method-filtering-to-deny-invalid-methods.patch,
> updated-TS-1981.patch
>
>
> ACL filtering based on HTTP's method is ignored if method received from
> client is invalid.
> To reproduce, with the default 8080 {{server_ports}} configure the
> {{remap.conf}} as follows.
> {noformat}
> map http://localhost:8080/ http://www.google.com/ @method=GET
> {noformat}
> Then run the following curl command.
> {noformat}
> $ curl -v -X AA http://localhost:8080/
> {noformat}
> Notice that a 200 OK response is received by the client with some (empty)
> HTML from google.com.
> If the following curl command is issued instead
> {noformat}
> $ curl -v -X PUT http://localhost:8080/
> {noformat}
> One will see that TS sends back a 403 Access Denied as expected.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
[jira] [Commented] (TS-1981) Url remap method filtering is broken with invalid method
[
https://issues.apache.org/jira/browse/TS-1981?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14014196#comment-14014196
]
ASF subversion and git services commented on TS-1981:
-
Commit 3b817bc8f61530e554f512f39459ded8d6557852 in trafficserver's branch
refs/heads/master from [~briang]
[ https://git-wip-us.apache.org/repos/asf?p=trafficserver.git;h=3b817bc ]
TS-1981 Url Remap method filter is broken
> Url remap method filtering is broken with invalid method
>
>
> Key: TS-1981
> URL: https://issues.apache.org/jira/browse/TS-1981
> Project: Traffic Server
> Issue Type: Bug
> Components: Configuration, Security
>Reporter: Thach Tran
>Assignee: Brian Geffon
> Labels: review
> Fix For: 5.0.0
>
> Attachments:
> 0001-TS-1981-Fix-method-filtering-to-deny-invalid-methods.patch,
> updated-TS-1981.patch
>
>
> ACL filtering based on HTTP's method is ignored if method received from
> client is invalid.
> To reproduce, with the default 8080 {{server_ports}} configure the
> {{remap.conf}} as follows.
> {noformat}
> map http://localhost:8080/ http://www.google.com/ @method=GET
> {noformat}
> Then run the following curl command.
> {noformat}
> $ curl -v -X AA http://localhost:8080/
> {noformat}
> Notice that a 200 OK response is received by the client with some (empty)
> HTML from google.com.
> If the following curl command is issued instead
> {noformat}
> $ curl -v -X PUT http://localhost:8080/
> {noformat}
> One will see that TS sends back a 403 Access Denied as expected.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
[jira] [Commented] (TS-1981) Url remap method filtering is broken with invalid method
[
https://issues.apache.org/jira/browse/TS-1981?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14014173#comment-14014173
]
Brian Geffon commented on TS-1981:
--
We have a more complete patch that supports arbitrary methods, I'll revert this
patch and commit the more robust one.
> Url remap method filtering is broken with invalid method
>
>
> Key: TS-1981
> URL: https://issues.apache.org/jira/browse/TS-1981
> Project: Traffic Server
> Issue Type: Bug
> Components: Configuration, Security
>Reporter: Thach Tran
>Assignee: Leif Hedstrom
> Labels: review
> Fix For: 5.0.0
>
> Attachments:
> 0001-TS-1981-Fix-method-filtering-to-deny-invalid-methods.patch,
> updated-TS-1981.patch
>
>
> ACL filtering based on HTTP's method is ignored if method received from
> client is invalid.
> To reproduce, with the default 8080 {{server_ports}} configure the
> {{remap.conf}} as follows.
> {noformat}
> map http://localhost:8080/ http://www.google.com/ @method=GET
> {noformat}
> Then run the following curl command.
> {noformat}
> $ curl -v -X AA http://localhost:8080/
> {noformat}
> Notice that a 200 OK response is received by the client with some (empty)
> HTML from google.com.
> If the following curl command is issued instead
> {noformat}
> $ curl -v -X PUT http://localhost:8080/
> {noformat}
> One will see that TS sends back a 403 Access Denied as expected.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
[jira] [Commented] (TS-1981) Url remap method filtering is broken with invalid method
[
https://issues.apache.org/jira/browse/TS-1981?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14014121#comment-14014121
]
Brian Geffon commented on TS-1981:
--
[~jacksontj] [~manjeshnilange] I thought you guys had a related fix?
> Url remap method filtering is broken with invalid method
>
>
> Key: TS-1981
> URL: https://issues.apache.org/jira/browse/TS-1981
> Project: Traffic Server
> Issue Type: Bug
> Components: Configuration, Security
>Reporter: Thach Tran
>Assignee: Leif Hedstrom
> Labels: review
> Fix For: 5.0.0
>
> Attachments:
> 0001-TS-1981-Fix-method-filtering-to-deny-invalid-methods.patch,
> updated-TS-1981.patch
>
>
> ACL filtering based on HTTP's method is ignored if method received from
> client is invalid.
> To reproduce, with the default 8080 {{server_ports}} configure the
> {{remap.conf}} as follows.
> {noformat}
> map http://localhost:8080/ http://www.google.com/ @method=GET
> {noformat}
> Then run the following curl command.
> {noformat}
> $ curl -v -X AA http://localhost:8080/
> {noformat}
> Notice that a 200 OK response is received by the client with some (empty)
> HTML from google.com.
> If the following curl command is issued instead
> {noformat}
> $ curl -v -X PUT http://localhost:8080/
> {noformat}
> One will see that TS sends back a 403 Access Denied as expected.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
[jira] [Commented] (TS-1981) Url remap method filtering is broken with invalid method
[
https://issues.apache.org/jira/browse/TS-1981?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14013964#comment-14013964
]
ASF subversion and git services commented on TS-1981:
-
Commit 3e818112374b5ea4e2d92fb2292bc16a7fdc01ae in trafficserver's branch
refs/heads/master from [~thachtran]
[ https://git-wip-us.apache.org/repos/asf?p=trafficserver.git;h=3e81811 ]
TS-1981 Url remap method filtering is broken with invalid method.
> Url remap method filtering is broken with invalid method
>
>
> Key: TS-1981
> URL: https://issues.apache.org/jira/browse/TS-1981
> Project: Traffic Server
> Issue Type: Bug
> Components: Configuration, Security
>Reporter: Thach Tran
>Assignee: Leif Hedstrom
> Labels: review
> Fix For: 5.0.0
>
> Attachments:
> 0001-TS-1981-Fix-method-filtering-to-deny-invalid-methods.patch,
> updated-TS-1981.patch
>
>
> ACL filtering based on HTTP's method is ignored if method received from
> client is invalid.
> To reproduce, with the default 8080 {{server_ports}} configure the
> {{remap.conf}} as follows.
> {noformat}
> map http://localhost:8080/ http://www.google.com/ @method=GET
> {noformat}
> Then run the following curl command.
> {noformat}
> $ curl -v -X AA http://localhost:8080/
> {noformat}
> Notice that a 200 OK response is received by the client with some (empty)
> HTML from google.com.
> If the following curl command is issued instead
> {noformat}
> $ curl -v -X PUT http://localhost:8080/
> {noformat}
> One will see that TS sends back a 403 Access Denied as expected.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
[jira] [Commented] (TS-1981) Url remap method filtering is broken with invalid method
[
https://issues.apache.org/jira/browse/TS-1981?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14013924#comment-14013924
]
Alan M. Carroll commented on TS-1981:
-
Looks good. At least I can understand the patch logic.
A stylistic note - why not
{code}
if (rp->method_valid) {
match = (i >= 0 && i < ACL_FILTER_MAX_METHODS && rp->method_idx[i] == method);
}
{code}
> Url remap method filtering is broken with invalid method
>
>
> Key: TS-1981
> URL: https://issues.apache.org/jira/browse/TS-1981
> Project: Traffic Server
> Issue Type: Bug
> Components: Configuration, Security
>Reporter: Thach Tran
>Assignee: Alan M. Carroll
> Labels: review
> Fix For: 5.0.0
>
> Attachments:
> 0001-TS-1981-Fix-method-filtering-to-deny-invalid-methods.patch,
> updated-TS-1981.patch
>
>
> ACL filtering based on HTTP's method is ignored if method received from
> client is invalid.
> To reproduce, with the default 8080 {{server_ports}} configure the
> {{remap.conf}} as follows.
> {noformat}
> map http://localhost:8080/ http://www.google.com/ @method=GET
> {noformat}
> Then run the following curl command.
> {noformat}
> $ curl -v -X AA http://localhost:8080/
> {noformat}
> Notice that a 200 OK response is received by the client with some (empty)
> HTML from google.com.
> If the following curl command is issued instead
> {noformat}
> $ curl -v -X PUT http://localhost:8080/
> {noformat}
> One will see that TS sends back a 403 Access Denied as expected.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
[jira] [Commented] (TS-1981) Url remap method filtering is broken with invalid method
[
https://issues.apache.org/jira/browse/TS-1981?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14010227#comment-14010227
]
Bryan Call commented on TS-1981:
[~amc]
Again, any updates on this?
> Url remap method filtering is broken with invalid method
>
>
> Key: TS-1981
> URL: https://issues.apache.org/jira/browse/TS-1981
> Project: Traffic Server
> Issue Type: Bug
> Components: Configuration, Security
>Reporter: Thach Tran
>Assignee: Alan M. Carroll
> Labels: review
> Fix For: 5.0.0
>
> Attachments:
> 0001-TS-1981-Fix-method-filtering-to-deny-invalid-methods.patch,
> updated-TS-1981.patch
>
>
> ACL filtering based on HTTP's method is ignored if method received from
> client is invalid.
> To reproduce, with the default 8080 {{server_ports}} configure the
> {{remap.conf}} as follows.
> {noformat}
> map http://localhost:8080/ http://www.google.com/ @method=GET
> {noformat}
> Then run the following curl command.
> {noformat}
> $ curl -v -X AA http://localhost:8080/
> {noformat}
> Notice that a 200 OK response is received by the client with some (empty)
> HTML from google.com.
> If the following curl command is issued instead
> {noformat}
> $ curl -v -X PUT http://localhost:8080/
> {noformat}
> One will see that TS sends back a 403 Access Denied as expected.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
[jira] [Commented] (TS-1981) Url remap method filtering is broken with invalid method
[
https://issues.apache.org/jira/browse/TS-1981?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14001926#comment-14001926
]
Bryan Call commented on TS-1981:
[~amc]
Any updates on this?
> Url remap method filtering is broken with invalid method
>
>
> Key: TS-1981
> URL: https://issues.apache.org/jira/browse/TS-1981
> Project: Traffic Server
> Issue Type: Bug
> Components: Configuration, Security
>Reporter: Thach Tran
>Assignee: Alan M. Carroll
> Labels: review
> Fix For: 5.0.0
>
> Attachments:
> 0001-TS-1981-Fix-method-filtering-to-deny-invalid-methods.patch,
> updated-TS-1981.patch
>
>
> ACL filtering based on HTTP's method is ignored if method received from
> client is invalid.
> To reproduce, with the default 8080 {{server_ports}} configure the
> {{remap.conf}} as follows.
> {noformat}
> map http://localhost:8080/ http://www.google.com/ @method=GET
> {noformat}
> Then run the following curl command.
> {noformat}
> $ curl -v -X AA http://localhost:8080/
> {noformat}
> Notice that a 200 OK response is received by the client with some (empty)
> HTML from google.com.
> If the following curl command is issued instead
> {noformat}
> $ curl -v -X PUT http://localhost:8080/
> {noformat}
> One will see that TS sends back a 403 Access Denied as expected.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
[jira] [Commented] (TS-1981) Url remap method filtering is broken with invalid method
[
https://issues.apache.org/jira/browse/TS-1981?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13922285#comment-13922285
]
Leif Hedstrom commented on TS-1981:
---
Alan, lets get this reviewed and committed ?
> Url remap method filtering is broken with invalid method
>
>
> Key: TS-1981
> URL: https://issues.apache.org/jira/browse/TS-1981
> Project: Traffic Server
> Issue Type: Bug
> Components: Configuration, Security
>Reporter: Thach Tran
>Assignee: Alan M. Carroll
> Labels: review
> Fix For: 5.0.0
>
> Attachments:
> 0001-TS-1981-Fix-method-filtering-to-deny-invalid-methods.patch,
> updated-TS-1981.patch
>
>
> ACL filtering based on HTTP's method is ignored if method received from
> client is invalid.
> To reproduce, with the default 8080 {{server_ports}} configure the
> {{remap.conf}} as follows.
> {noformat}
> map http://localhost:8080/ http://www.google.com/ @method=GET
> {noformat}
> Then run the following curl command.
> {noformat}
> $ curl -v -X AA http://localhost:8080/
> {noformat}
> Notice that a 200 OK response is received by the client with some (empty)
> HTML from google.com.
> If the following curl command is issued instead
> {noformat}
> $ curl -v -X PUT http://localhost:8080/
> {noformat}
> One will see that TS sends back a 403 Access Denied as expected.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
[jira] [Commented] (TS-1981) Url remap method filtering is broken with invalid method
[
https://issues.apache.org/jira/browse/TS-1981?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13790043#comment-13790043
]
Thach Tran commented on TS-1981:
I revisited this just now and updated my patch per Alan comment.
I do agree that the original code is very confusing but after looking at it
closely, I think it works as expected.
Matching does have an effect; if the rule matches, client_enabled is set based
on allow_flag while if it doesn't match, client_enabled is set based on *the
invert* of allow_flag.
On the other hand, you're right that the loop should stop as soon as
client_enabled is false as there's no point in trying to match the remaining
rules if it continues to deny given that a previous rule has denied.
I have refactored that bit of code slightly to hopefully make the logic
clearer. Could you give that a try and see if it's any better.
> Url remap method filtering is broken with invalid method
>
>
> Key: TS-1981
> URL: https://issues.apache.org/jira/browse/TS-1981
> Project: Traffic Server
> Issue Type: Bug
> Components: Configuration, Security
>Reporter: Thach Tran
>Assignee: Alan M. Carroll
> Fix For: 4.2.0
>
> Attachments:
> 0001-TS-1981-Fix-method-filtering-to-deny-invalid-methods.patch,
> updated-TS-1981.patch
>
>
> ACL filtering based on HTTP's method is ignored if method received from
> client is invalid.
> To reproduce, with the default 8080 {{server_ports}} configure the
> {{remap.conf}} as follows.
> {noformat}
> map http://localhost:8080/ http://www.google.com/ @method=GET
> {noformat}
> Then run the following curl command.
> {noformat}
> $ curl -v -X AA http://localhost:8080/
> {noformat}
> Notice that a 200 OK response is received by the client with some (empty)
> HTML from google.com.
> If the following curl command is issued instead
> {noformat}
> $ curl -v -X PUT http://localhost:8080/
> {noformat}
> One will see that TS sends back a 403 Access Denied as expected.
--
This message was sent by Atlassian JIRA
(v6.1#6144)
[jira] [Commented] (TS-1981) Url remap method filtering is broken with invalid method
[
https://issues.apache.org/jira/browse/TS-1981?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13789560#comment-13789560
]
Leif Hedstrom commented on TS-1981:
---
[~amc][~thachtran]Any updates on this ?
> Url remap method filtering is broken with invalid method
>
>
> Key: TS-1981
> URL: https://issues.apache.org/jira/browse/TS-1981
> Project: Traffic Server
> Issue Type: Bug
> Components: Configuration, Security
>Reporter: Thach Tran
>Assignee: Alan M. Carroll
> Fix For: 4.2.0
>
> Attachments:
> 0001-TS-1981-Fix-method-filtering-to-deny-invalid-methods.patch
>
>
> ACL filtering based on HTTP's method is ignored if method received from
> client is invalid.
> To reproduce, with the default 8080 {{server_ports}} configure the
> {{remap.conf}} as follows.
> {noformat}
> map http://localhost:8080/ http://www.google.com/ @method=GET
> {noformat}
> Then run the following curl command.
> {noformat}
> $ curl -v -X AA http://localhost:8080/
> {noformat}
> Notice that a 200 OK response is received by the client with some (empty)
> HTML from google.com.
> If the following curl command is issued instead
> {noformat}
> $ curl -v -X PUT http://localhost:8080/
> {noformat}
> One will see that TS sends back a 403 Access Denied as expected.
--
This message was sent by Atlassian JIRA
(v6.1#6144)
[jira] [Commented] (TS-1981) Url remap method filtering is broken with invalid method
[
https://issues.apache.org/jira/browse/TS-1981?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13715561#comment-13715561
]
Alan M. Carroll commented on TS-1981:
-
I have tried to review the patch but I can not make any sense of the original
code. As far as I can tell, it de facto only checks if any of the filter rules
have an allow_flag set to false. The matching has no apparent effect. In line
888, client_enabled is set based on allow_flag for rules that did *not* match.
A few lines earlier, this is done for lines that *did* match. So what's the
point of matching? Also, why doesn't the loop condition have "&&
client_enabled", since once that gets set false it can never get set back?
> Url remap method filtering is broken with invalid method
>
>
> Key: TS-1981
> URL: https://issues.apache.org/jira/browse/TS-1981
> Project: Traffic Server
> Issue Type: Bug
> Components: Configuration, Security
>Reporter: Thach Tran
>Assignee: Alan M. Carroll
> Fix For: 3.5.0
>
> Attachments:
> 0001-TS-1981-Fix-method-filtering-to-deny-invalid-methods.patch
>
>
> ACL filtering based on HTTP's method is ignored if method received from
> client is invalid.
> To reproduce, with the default 8080 {{server_ports}} configure the
> {{remap.conf}} as follows.
> {noformat}
> map http://localhost:8080/ http://www.google.com/ @method=GET
> {noformat}
> Then run the following curl command.
> {noformat}
> $ curl -v -X AA http://localhost:8080/
> {noformat}
> Notice that a 200 OK response is received by the client with some (empty)
> HTML from google.com.
> If the following curl command is issued instead
> {noformat}
> $ curl -v -X PUT http://localhost:8080/
> {noformat}
> One will see that TS sends back a 403 Access Denied as expected.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (TS-1981) Url remap method filtering is broken with invalid method
[
https://issues.apache.org/jira/browse/TS-1981?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13715496#comment-13715496
]
Thach Tran commented on TS-1981:
Thank you for the review and I am terribly sorry for the carelessness. What I
meant in that condition is
{noformat}
if (!(i >= 0 && i < ACL_FILTER_MAX_METHODS) || method_idx[i] != method)
{noformat}
> Url remap method filtering is broken with invalid method
>
>
> Key: TS-1981
> URL: https://issues.apache.org/jira/browse/TS-1981
> Project: Traffic Server
> Issue Type: Bug
> Components: Configuration, Security
>Reporter: Thach Tran
>Assignee: Alan M. Carroll
> Fix For: 3.5.0
>
> Attachments:
> 0001-TS-1981-Fix-method-filtering-to-deny-invalid-methods.patch
>
>
> ACL filtering based on HTTP's method is ignored if method received from
> client is invalid.
> To reproduce, with the default 8080 {{server_ports}} configure the
> {{remap.conf}} as follows.
> {noformat}
> map http://localhost:8080/ http://www.google.com/ @method=GET
> {noformat}
> Then run the following curl command.
> {noformat}
> $ curl -v -X AA http://localhost:8080/
> {noformat}
> Notice that a 200 OK response is received by the client with some (empty)
> HTML from google.com.
> If the following curl command is issued instead
> {noformat}
> $ curl -v -X PUT http://localhost:8080/
> {noformat}
> One will see that TS sends back a 403 Access Denied as expected.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (TS-1981) Url remap method filtering is broken with invalid method
[
https://issues.apache.org/jira/browse/TS-1981?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13715352#comment-13715352
]
Alan M. Carroll commented on TS-1981:
-
The conditional at 34 looks wrong - it verifies the index is valid or the
rp->method_idx, only checking the latter when the index is *out* of range.
Also, it will never match if the method is within the valid filter methods.
> Url remap method filtering is broken with invalid method
>
>
> Key: TS-1981
> URL: https://issues.apache.org/jira/browse/TS-1981
> Project: Traffic Server
> Issue Type: Bug
> Components: Configuration, Security
>Reporter: Thach Tran
>Assignee: Alan M. Carroll
> Fix For: 3.3.5
>
> Attachments:
> 0001-TS-1981-Fix-method-filtering-to-deny-invalid-methods.patch
>
>
> ACL filtering based on HTTP's method is ignored if method received from
> client is invalid.
> To reproduce, with the default 8080 {{server_ports}} configure the
> {{remap.conf}} as follows.
> {noformat}
> map http://localhost:8080/ http://www.google.com/ @method=GET
> {noformat}
> Then run the following curl command.
> {noformat}
> $ curl -v -X AA http://localhost:8080/
> {noformat}
> Notice that a 200 OK response is received by the client with some (empty)
> HTML from google.com.
> If the following curl command is issued instead
> {noformat}
> $ curl -v -X PUT http://localhost:8080/
> {noformat}
> One will see that TS sends back a 403 Access Denied as expected.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
