[jira] [Commented] (TS-1981) Url remap method filtering is broken with invalid method
[ https://issues.apache.org/jira/browse/TS-1981?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14036673#comment-14036673 ] ASF subversion and git services commented on TS-1981: - Commit ee8a4b18ea78e9bb9c2da3d1d7f92860dc7c8b28 in trafficserver's branch refs/heads/4.2.x from [~briang] [ https://git-wip-us.apache.org/repos/asf?p=trafficserver.git;h=ee8a4b1 ] [TS-1981] Adding arbitrary methods to url remap, and fix the same problem in IpAllow (not cherrypicked, applied via patch built for 4.2.x) > Url remap method filtering is broken with invalid method > > > Key: TS-1981 > URL: https://issues.apache.org/jira/browse/TS-1981 > Project: Traffic Server > Issue Type: Bug > Components: Configuration, Security >Reporter: Thach Tran >Assignee: Brian Geffon > Labels: review > Fix For: 5.0.0 > > Attachments: > 0001-TS-1981-Fix-method-filtering-to-deny-invalid-methods.patch, > updated-TS-1981.patch > > > ACL filtering based on HTTP's method is ignored if method received from > client is invalid. > To reproduce, with the default 8080 {{server_ports}} configure the > {{remap.conf}} as follows. > {noformat} > map http://localhost:8080/ http://www.google.com/ @method=GET > {noformat} > Then run the following curl command. > {noformat} > $ curl -v -X AA http://localhost:8080/ > {noformat} > Notice that a 200 OK response is received by the client with some (empty) > HTML from google.com. > If the following curl command is issued instead > {noformat} > $ curl -v -X PUT http://localhost:8080/ > {noformat} > One will see that TS sends back a 403 Access Denied as expected. -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Commented] (TS-1981) Url remap method filtering is broken with invalid method
[ https://issues.apache.org/jira/browse/TS-1981?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14014271#comment-14014271 ] ASF subversion and git services commented on TS-1981: - Commit 0094d4b11091bba7496b19445c380ccb2443cda0 in trafficserver's branch refs/heads/5.0.x from [~briang] [ https://git-wip-us.apache.org/repos/asf?p=trafficserver.git;h=0094d4b ] [TS-1981] Adding arbitrary methods to url remap, and fix the same problem in IpAllow > Url remap method filtering is broken with invalid method > > > Key: TS-1981 > URL: https://issues.apache.org/jira/browse/TS-1981 > Project: Traffic Server > Issue Type: Bug > Components: Configuration, Security >Reporter: Thach Tran >Assignee: Brian Geffon > Labels: review > Fix For: 5.0.0 > > Attachments: > 0001-TS-1981-Fix-method-filtering-to-deny-invalid-methods.patch, > updated-TS-1981.patch > > > ACL filtering based on HTTP's method is ignored if method received from > client is invalid. > To reproduce, with the default 8080 {{server_ports}} configure the > {{remap.conf}} as follows. > {noformat} > map http://localhost:8080/ http://www.google.com/ @method=GET > {noformat} > Then run the following curl command. > {noformat} > $ curl -v -X AA http://localhost:8080/ > {noformat} > Notice that a 200 OK response is received by the client with some (empty) > HTML from google.com. > If the following curl command is issued instead > {noformat} > $ curl -v -X PUT http://localhost:8080/ > {noformat} > One will see that TS sends back a 403 Access Denied as expected. -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Commented] (TS-1981) Url remap method filtering is broken with invalid method
[ https://issues.apache.org/jira/browse/TS-1981?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14014272#comment-14014272 ] ASF subversion and git services commented on TS-1981: - Commit 3b817bc8f61530e554f512f39459ded8d6557852 in trafficserver's branch refs/heads/5.0.x from [~briang] [ https://git-wip-us.apache.org/repos/asf?p=trafficserver.git;h=3b817bc ] TS-1981 Url Remap method filter is broken > Url remap method filtering is broken with invalid method > > > Key: TS-1981 > URL: https://issues.apache.org/jira/browse/TS-1981 > Project: Traffic Server > Issue Type: Bug > Components: Configuration, Security >Reporter: Thach Tran >Assignee: Brian Geffon > Labels: review > Fix For: 5.0.0 > > Attachments: > 0001-TS-1981-Fix-method-filtering-to-deny-invalid-methods.patch, > updated-TS-1981.patch > > > ACL filtering based on HTTP's method is ignored if method received from > client is invalid. > To reproduce, with the default 8080 {{server_ports}} configure the > {{remap.conf}} as follows. > {noformat} > map http://localhost:8080/ http://www.google.com/ @method=GET > {noformat} > Then run the following curl command. > {noformat} > $ curl -v -X AA http://localhost:8080/ > {noformat} > Notice that a 200 OK response is received by the client with some (empty) > HTML from google.com. > If the following curl command is issued instead > {noformat} > $ curl -v -X PUT http://localhost:8080/ > {noformat} > One will see that TS sends back a 403 Access Denied as expected. -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Commented] (TS-1981) Url remap method filtering is broken with invalid method
[ https://issues.apache.org/jira/browse/TS-1981?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14014273#comment-14014273 ] ASF subversion and git services commented on TS-1981: - Commit 9b3adb70e06a37a0f59dc8391bcffa7526f6a249 in trafficserver's branch refs/heads/5.0.x from [~briang] [ https://git-wip-us.apache.org/repos/asf?p=trafficserver.git;h=9b3adb7 ] TS-1981 Url Remap method filter is broken > Url remap method filtering is broken with invalid method > > > Key: TS-1981 > URL: https://issues.apache.org/jira/browse/TS-1981 > Project: Traffic Server > Issue Type: Bug > Components: Configuration, Security >Reporter: Thach Tran >Assignee: Brian Geffon > Labels: review > Fix For: 5.0.0 > > Attachments: > 0001-TS-1981-Fix-method-filtering-to-deny-invalid-methods.patch, > updated-TS-1981.patch > > > ACL filtering based on HTTP's method is ignored if method received from > client is invalid. > To reproduce, with the default 8080 {{server_ports}} configure the > {{remap.conf}} as follows. > {noformat} > map http://localhost:8080/ http://www.google.com/ @method=GET > {noformat} > Then run the following curl command. > {noformat} > $ curl -v -X AA http://localhost:8080/ > {noformat} > Notice that a 200 OK response is received by the client with some (empty) > HTML from google.com. > If the following curl command is issued instead > {noformat} > $ curl -v -X PUT http://localhost:8080/ > {noformat} > One will see that TS sends back a 403 Access Denied as expected. -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Commented] (TS-1981) Url remap method filtering is broken with invalid method
[ https://issues.apache.org/jira/browse/TS-1981?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14014215#comment-14014215 ] ASF subversion and git services commented on TS-1981: - Commit 3e818112374b5ea4e2d92fb2292bc16a7fdc01ae in trafficserver's branch refs/heads/5.0.x from [~thachtran] [ https://git-wip-us.apache.org/repos/asf?p=trafficserver.git;h=3e81811 ] TS-1981 Url remap method filtering is broken with invalid method. > Url remap method filtering is broken with invalid method > > > Key: TS-1981 > URL: https://issues.apache.org/jira/browse/TS-1981 > Project: Traffic Server > Issue Type: Bug > Components: Configuration, Security >Reporter: Thach Tran >Assignee: Brian Geffon > Labels: review > Fix For: 5.0.0 > > Attachments: > 0001-TS-1981-Fix-method-filtering-to-deny-invalid-methods.patch, > updated-TS-1981.patch > > > ACL filtering based on HTTP's method is ignored if method received from > client is invalid. > To reproduce, with the default 8080 {{server_ports}} configure the > {{remap.conf}} as follows. > {noformat} > map http://localhost:8080/ http://www.google.com/ @method=GET > {noformat} > Then run the following curl command. > {noformat} > $ curl -v -X AA http://localhost:8080/ > {noformat} > Notice that a 200 OK response is received by the client with some (empty) > HTML from google.com. > If the following curl command is issued instead > {noformat} > $ curl -v -X PUT http://localhost:8080/ > {noformat} > One will see that TS sends back a 403 Access Denied as expected. -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Commented] (TS-1981) Url remap method filtering is broken with invalid method
[ https://issues.apache.org/jira/browse/TS-1981?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14014201#comment-14014201 ] Brian Geffon commented on TS-1981: -- The latest commit will also solve this same issue in IPAllow, closing. > Url remap method filtering is broken with invalid method > > > Key: TS-1981 > URL: https://issues.apache.org/jira/browse/TS-1981 > Project: Traffic Server > Issue Type: Bug > Components: Configuration, Security >Reporter: Thach Tran >Assignee: Brian Geffon > Labels: review > Fix For: 5.0.0 > > Attachments: > 0001-TS-1981-Fix-method-filtering-to-deny-invalid-methods.patch, > updated-TS-1981.patch > > > ACL filtering based on HTTP's method is ignored if method received from > client is invalid. > To reproduce, with the default 8080 {{server_ports}} configure the > {{remap.conf}} as follows. > {noformat} > map http://localhost:8080/ http://www.google.com/ @method=GET > {noformat} > Then run the following curl command. > {noformat} > $ curl -v -X AA http://localhost:8080/ > {noformat} > Notice that a 200 OK response is received by the client with some (empty) > HTML from google.com. > If the following curl command is issued instead > {noformat} > $ curl -v -X PUT http://localhost:8080/ > {noformat} > One will see that TS sends back a 403 Access Denied as expected. -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Commented] (TS-1981) Url remap method filtering is broken with invalid method
[ https://issues.apache.org/jira/browse/TS-1981?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14014195#comment-14014195 ] ASF subversion and git services commented on TS-1981: - Commit 0094d4b11091bba7496b19445c380ccb2443cda0 in trafficserver's branch refs/heads/master from [~briang] [ https://git-wip-us.apache.org/repos/asf?p=trafficserver.git;h=0094d4b ] [TS-1981] Adding arbitrary methods to url remap, and fix the same problem in IpAllow > Url remap method filtering is broken with invalid method > > > Key: TS-1981 > URL: https://issues.apache.org/jira/browse/TS-1981 > Project: Traffic Server > Issue Type: Bug > Components: Configuration, Security >Reporter: Thach Tran >Assignee: Brian Geffon > Labels: review > Fix For: 5.0.0 > > Attachments: > 0001-TS-1981-Fix-method-filtering-to-deny-invalid-methods.patch, > updated-TS-1981.patch > > > ACL filtering based on HTTP's method is ignored if method received from > client is invalid. > To reproduce, with the default 8080 {{server_ports}} configure the > {{remap.conf}} as follows. > {noformat} > map http://localhost:8080/ http://www.google.com/ @method=GET > {noformat} > Then run the following curl command. > {noformat} > $ curl -v -X AA http://localhost:8080/ > {noformat} > Notice that a 200 OK response is received by the client with some (empty) > HTML from google.com. > If the following curl command is issued instead > {noformat} > $ curl -v -X PUT http://localhost:8080/ > {noformat} > One will see that TS sends back a 403 Access Denied as expected. -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Commented] (TS-1981) Url remap method filtering is broken with invalid method
[ https://issues.apache.org/jira/browse/TS-1981?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14014197#comment-14014197 ] ASF subversion and git services commented on TS-1981: - Commit 9b3adb70e06a37a0f59dc8391bcffa7526f6a249 in trafficserver's branch refs/heads/master from [~briang] [ https://git-wip-us.apache.org/repos/asf?p=trafficserver.git;h=9b3adb7 ] TS-1981 Url Remap method filter is broken > Url remap method filtering is broken with invalid method > > > Key: TS-1981 > URL: https://issues.apache.org/jira/browse/TS-1981 > Project: Traffic Server > Issue Type: Bug > Components: Configuration, Security >Reporter: Thach Tran >Assignee: Brian Geffon > Labels: review > Fix For: 5.0.0 > > Attachments: > 0001-TS-1981-Fix-method-filtering-to-deny-invalid-methods.patch, > updated-TS-1981.patch > > > ACL filtering based on HTTP's method is ignored if method received from > client is invalid. > To reproduce, with the default 8080 {{server_ports}} configure the > {{remap.conf}} as follows. > {noformat} > map http://localhost:8080/ http://www.google.com/ @method=GET > {noformat} > Then run the following curl command. > {noformat} > $ curl -v -X AA http://localhost:8080/ > {noformat} > Notice that a 200 OK response is received by the client with some (empty) > HTML from google.com. > If the following curl command is issued instead > {noformat} > $ curl -v -X PUT http://localhost:8080/ > {noformat} > One will see that TS sends back a 403 Access Denied as expected. -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Commented] (TS-1981) Url remap method filtering is broken with invalid method
[ https://issues.apache.org/jira/browse/TS-1981?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14014194#comment-14014194 ] ASF subversion and git services commented on TS-1981: - Commit 923269b6132aa81427772aa99c9a70dd535de17a in trafficserver's branch refs/heads/master from [~briang] [ https://git-wip-us.apache.org/repos/asf?p=trafficserver.git;h=923269b ] Revert "TS-1981 Url remap method filtering is broken with invalid method." This reverts commit 3e818112374b5ea4e2d92fb2292bc16a7fdc01ae. Conflicts: CHANGES > Url remap method filtering is broken with invalid method > > > Key: TS-1981 > URL: https://issues.apache.org/jira/browse/TS-1981 > Project: Traffic Server > Issue Type: Bug > Components: Configuration, Security >Reporter: Thach Tran >Assignee: Brian Geffon > Labels: review > Fix For: 5.0.0 > > Attachments: > 0001-TS-1981-Fix-method-filtering-to-deny-invalid-methods.patch, > updated-TS-1981.patch > > > ACL filtering based on HTTP's method is ignored if method received from > client is invalid. > To reproduce, with the default 8080 {{server_ports}} configure the > {{remap.conf}} as follows. > {noformat} > map http://localhost:8080/ http://www.google.com/ @method=GET > {noformat} > Then run the following curl command. > {noformat} > $ curl -v -X AA http://localhost:8080/ > {noformat} > Notice that a 200 OK response is received by the client with some (empty) > HTML from google.com. > If the following curl command is issued instead > {noformat} > $ curl -v -X PUT http://localhost:8080/ > {noformat} > One will see that TS sends back a 403 Access Denied as expected. -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Commented] (TS-1981) Url remap method filtering is broken with invalid method
[ https://issues.apache.org/jira/browse/TS-1981?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14014196#comment-14014196 ] ASF subversion and git services commented on TS-1981: - Commit 3b817bc8f61530e554f512f39459ded8d6557852 in trafficserver's branch refs/heads/master from [~briang] [ https://git-wip-us.apache.org/repos/asf?p=trafficserver.git;h=3b817bc ] TS-1981 Url Remap method filter is broken > Url remap method filtering is broken with invalid method > > > Key: TS-1981 > URL: https://issues.apache.org/jira/browse/TS-1981 > Project: Traffic Server > Issue Type: Bug > Components: Configuration, Security >Reporter: Thach Tran >Assignee: Brian Geffon > Labels: review > Fix For: 5.0.0 > > Attachments: > 0001-TS-1981-Fix-method-filtering-to-deny-invalid-methods.patch, > updated-TS-1981.patch > > > ACL filtering based on HTTP's method is ignored if method received from > client is invalid. > To reproduce, with the default 8080 {{server_ports}} configure the > {{remap.conf}} as follows. > {noformat} > map http://localhost:8080/ http://www.google.com/ @method=GET > {noformat} > Then run the following curl command. > {noformat} > $ curl -v -X AA http://localhost:8080/ > {noformat} > Notice that a 200 OK response is received by the client with some (empty) > HTML from google.com. > If the following curl command is issued instead > {noformat} > $ curl -v -X PUT http://localhost:8080/ > {noformat} > One will see that TS sends back a 403 Access Denied as expected. -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Commented] (TS-1981) Url remap method filtering is broken with invalid method
[ https://issues.apache.org/jira/browse/TS-1981?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14014173#comment-14014173 ] Brian Geffon commented on TS-1981: -- We have a more complete patch that supports arbitrary methods, I'll revert this patch and commit the more robust one. > Url remap method filtering is broken with invalid method > > > Key: TS-1981 > URL: https://issues.apache.org/jira/browse/TS-1981 > Project: Traffic Server > Issue Type: Bug > Components: Configuration, Security >Reporter: Thach Tran >Assignee: Leif Hedstrom > Labels: review > Fix For: 5.0.0 > > Attachments: > 0001-TS-1981-Fix-method-filtering-to-deny-invalid-methods.patch, > updated-TS-1981.patch > > > ACL filtering based on HTTP's method is ignored if method received from > client is invalid. > To reproduce, with the default 8080 {{server_ports}} configure the > {{remap.conf}} as follows. > {noformat} > map http://localhost:8080/ http://www.google.com/ @method=GET > {noformat} > Then run the following curl command. > {noformat} > $ curl -v -X AA http://localhost:8080/ > {noformat} > Notice that a 200 OK response is received by the client with some (empty) > HTML from google.com. > If the following curl command is issued instead > {noformat} > $ curl -v -X PUT http://localhost:8080/ > {noformat} > One will see that TS sends back a 403 Access Denied as expected. -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Commented] (TS-1981) Url remap method filtering is broken with invalid method
[ https://issues.apache.org/jira/browse/TS-1981?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14014121#comment-14014121 ] Brian Geffon commented on TS-1981: -- [~jacksontj] [~manjeshnilange] I thought you guys had a related fix? > Url remap method filtering is broken with invalid method > > > Key: TS-1981 > URL: https://issues.apache.org/jira/browse/TS-1981 > Project: Traffic Server > Issue Type: Bug > Components: Configuration, Security >Reporter: Thach Tran >Assignee: Leif Hedstrom > Labels: review > Fix For: 5.0.0 > > Attachments: > 0001-TS-1981-Fix-method-filtering-to-deny-invalid-methods.patch, > updated-TS-1981.patch > > > ACL filtering based on HTTP's method is ignored if method received from > client is invalid. > To reproduce, with the default 8080 {{server_ports}} configure the > {{remap.conf}} as follows. > {noformat} > map http://localhost:8080/ http://www.google.com/ @method=GET > {noformat} > Then run the following curl command. > {noformat} > $ curl -v -X AA http://localhost:8080/ > {noformat} > Notice that a 200 OK response is received by the client with some (empty) > HTML from google.com. > If the following curl command is issued instead > {noformat} > $ curl -v -X PUT http://localhost:8080/ > {noformat} > One will see that TS sends back a 403 Access Denied as expected. -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Commented] (TS-1981) Url remap method filtering is broken with invalid method
[ https://issues.apache.org/jira/browse/TS-1981?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14013964#comment-14013964 ] ASF subversion and git services commented on TS-1981: - Commit 3e818112374b5ea4e2d92fb2292bc16a7fdc01ae in trafficserver's branch refs/heads/master from [~thachtran] [ https://git-wip-us.apache.org/repos/asf?p=trafficserver.git;h=3e81811 ] TS-1981 Url remap method filtering is broken with invalid method. > Url remap method filtering is broken with invalid method > > > Key: TS-1981 > URL: https://issues.apache.org/jira/browse/TS-1981 > Project: Traffic Server > Issue Type: Bug > Components: Configuration, Security >Reporter: Thach Tran >Assignee: Leif Hedstrom > Labels: review > Fix For: 5.0.0 > > Attachments: > 0001-TS-1981-Fix-method-filtering-to-deny-invalid-methods.patch, > updated-TS-1981.patch > > > ACL filtering based on HTTP's method is ignored if method received from > client is invalid. > To reproduce, with the default 8080 {{server_ports}} configure the > {{remap.conf}} as follows. > {noformat} > map http://localhost:8080/ http://www.google.com/ @method=GET > {noformat} > Then run the following curl command. > {noformat} > $ curl -v -X AA http://localhost:8080/ > {noformat} > Notice that a 200 OK response is received by the client with some (empty) > HTML from google.com. > If the following curl command is issued instead > {noformat} > $ curl -v -X PUT http://localhost:8080/ > {noformat} > One will see that TS sends back a 403 Access Denied as expected. -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Commented] (TS-1981) Url remap method filtering is broken with invalid method
[ https://issues.apache.org/jira/browse/TS-1981?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14013924#comment-14013924 ] Alan M. Carroll commented on TS-1981: - Looks good. At least I can understand the patch logic. A stylistic note - why not {code} if (rp->method_valid) { match = (i >= 0 && i < ACL_FILTER_MAX_METHODS && rp->method_idx[i] == method); } {code} > Url remap method filtering is broken with invalid method > > > Key: TS-1981 > URL: https://issues.apache.org/jira/browse/TS-1981 > Project: Traffic Server > Issue Type: Bug > Components: Configuration, Security >Reporter: Thach Tran >Assignee: Alan M. Carroll > Labels: review > Fix For: 5.0.0 > > Attachments: > 0001-TS-1981-Fix-method-filtering-to-deny-invalid-methods.patch, > updated-TS-1981.patch > > > ACL filtering based on HTTP's method is ignored if method received from > client is invalid. > To reproduce, with the default 8080 {{server_ports}} configure the > {{remap.conf}} as follows. > {noformat} > map http://localhost:8080/ http://www.google.com/ @method=GET > {noformat} > Then run the following curl command. > {noformat} > $ curl -v -X AA http://localhost:8080/ > {noformat} > Notice that a 200 OK response is received by the client with some (empty) > HTML from google.com. > If the following curl command is issued instead > {noformat} > $ curl -v -X PUT http://localhost:8080/ > {noformat} > One will see that TS sends back a 403 Access Denied as expected. -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Commented] (TS-1981) Url remap method filtering is broken with invalid method
[ https://issues.apache.org/jira/browse/TS-1981?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14010227#comment-14010227 ] Bryan Call commented on TS-1981: [~amc] Again, any updates on this? > Url remap method filtering is broken with invalid method > > > Key: TS-1981 > URL: https://issues.apache.org/jira/browse/TS-1981 > Project: Traffic Server > Issue Type: Bug > Components: Configuration, Security >Reporter: Thach Tran >Assignee: Alan M. Carroll > Labels: review > Fix For: 5.0.0 > > Attachments: > 0001-TS-1981-Fix-method-filtering-to-deny-invalid-methods.patch, > updated-TS-1981.patch > > > ACL filtering based on HTTP's method is ignored if method received from > client is invalid. > To reproduce, with the default 8080 {{server_ports}} configure the > {{remap.conf}} as follows. > {noformat} > map http://localhost:8080/ http://www.google.com/ @method=GET > {noformat} > Then run the following curl command. > {noformat} > $ curl -v -X AA http://localhost:8080/ > {noformat} > Notice that a 200 OK response is received by the client with some (empty) > HTML from google.com. > If the following curl command is issued instead > {noformat} > $ curl -v -X PUT http://localhost:8080/ > {noformat} > One will see that TS sends back a 403 Access Denied as expected. -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Commented] (TS-1981) Url remap method filtering is broken with invalid method
[ https://issues.apache.org/jira/browse/TS-1981?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14001926#comment-14001926 ] Bryan Call commented on TS-1981: [~amc] Any updates on this? > Url remap method filtering is broken with invalid method > > > Key: TS-1981 > URL: https://issues.apache.org/jira/browse/TS-1981 > Project: Traffic Server > Issue Type: Bug > Components: Configuration, Security >Reporter: Thach Tran >Assignee: Alan M. Carroll > Labels: review > Fix For: 5.0.0 > > Attachments: > 0001-TS-1981-Fix-method-filtering-to-deny-invalid-methods.patch, > updated-TS-1981.patch > > > ACL filtering based on HTTP's method is ignored if method received from > client is invalid. > To reproduce, with the default 8080 {{server_ports}} configure the > {{remap.conf}} as follows. > {noformat} > map http://localhost:8080/ http://www.google.com/ @method=GET > {noformat} > Then run the following curl command. > {noformat} > $ curl -v -X AA http://localhost:8080/ > {noformat} > Notice that a 200 OK response is received by the client with some (empty) > HTML from google.com. > If the following curl command is issued instead > {noformat} > $ curl -v -X PUT http://localhost:8080/ > {noformat} > One will see that TS sends back a 403 Access Denied as expected. -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Commented] (TS-1981) Url remap method filtering is broken with invalid method
[ https://issues.apache.org/jira/browse/TS-1981?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13922285#comment-13922285 ] Leif Hedstrom commented on TS-1981: --- Alan, lets get this reviewed and committed ? > Url remap method filtering is broken with invalid method > > > Key: TS-1981 > URL: https://issues.apache.org/jira/browse/TS-1981 > Project: Traffic Server > Issue Type: Bug > Components: Configuration, Security >Reporter: Thach Tran >Assignee: Alan M. Carroll > Labels: review > Fix For: 5.0.0 > > Attachments: > 0001-TS-1981-Fix-method-filtering-to-deny-invalid-methods.patch, > updated-TS-1981.patch > > > ACL filtering based on HTTP's method is ignored if method received from > client is invalid. > To reproduce, with the default 8080 {{server_ports}} configure the > {{remap.conf}} as follows. > {noformat} > map http://localhost:8080/ http://www.google.com/ @method=GET > {noformat} > Then run the following curl command. > {noformat} > $ curl -v -X AA http://localhost:8080/ > {noformat} > Notice that a 200 OK response is received by the client with some (empty) > HTML from google.com. > If the following curl command is issued instead > {noformat} > $ curl -v -X PUT http://localhost:8080/ > {noformat} > One will see that TS sends back a 403 Access Denied as expected. -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Commented] (TS-1981) Url remap method filtering is broken with invalid method
[ https://issues.apache.org/jira/browse/TS-1981?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13790043#comment-13790043 ] Thach Tran commented on TS-1981: I revisited this just now and updated my patch per Alan comment. I do agree that the original code is very confusing but after looking at it closely, I think it works as expected. Matching does have an effect; if the rule matches, client_enabled is set based on allow_flag while if it doesn't match, client_enabled is set based on *the invert* of allow_flag. On the other hand, you're right that the loop should stop as soon as client_enabled is false as there's no point in trying to match the remaining rules if it continues to deny given that a previous rule has denied. I have refactored that bit of code slightly to hopefully make the logic clearer. Could you give that a try and see if it's any better. > Url remap method filtering is broken with invalid method > > > Key: TS-1981 > URL: https://issues.apache.org/jira/browse/TS-1981 > Project: Traffic Server > Issue Type: Bug > Components: Configuration, Security >Reporter: Thach Tran >Assignee: Alan M. Carroll > Fix For: 4.2.0 > > Attachments: > 0001-TS-1981-Fix-method-filtering-to-deny-invalid-methods.patch, > updated-TS-1981.patch > > > ACL filtering based on HTTP's method is ignored if method received from > client is invalid. > To reproduce, with the default 8080 {{server_ports}} configure the > {{remap.conf}} as follows. > {noformat} > map http://localhost:8080/ http://www.google.com/ @method=GET > {noformat} > Then run the following curl command. > {noformat} > $ curl -v -X AA http://localhost:8080/ > {noformat} > Notice that a 200 OK response is received by the client with some (empty) > HTML from google.com. > If the following curl command is issued instead > {noformat} > $ curl -v -X PUT http://localhost:8080/ > {noformat} > One will see that TS sends back a 403 Access Denied as expected. -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Commented] (TS-1981) Url remap method filtering is broken with invalid method
[ https://issues.apache.org/jira/browse/TS-1981?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13789560#comment-13789560 ] Leif Hedstrom commented on TS-1981: --- [~amc][~thachtran]Any updates on this ? > Url remap method filtering is broken with invalid method > > > Key: TS-1981 > URL: https://issues.apache.org/jira/browse/TS-1981 > Project: Traffic Server > Issue Type: Bug > Components: Configuration, Security >Reporter: Thach Tran >Assignee: Alan M. Carroll > Fix For: 4.2.0 > > Attachments: > 0001-TS-1981-Fix-method-filtering-to-deny-invalid-methods.patch > > > ACL filtering based on HTTP's method is ignored if method received from > client is invalid. > To reproduce, with the default 8080 {{server_ports}} configure the > {{remap.conf}} as follows. > {noformat} > map http://localhost:8080/ http://www.google.com/ @method=GET > {noformat} > Then run the following curl command. > {noformat} > $ curl -v -X AA http://localhost:8080/ > {noformat} > Notice that a 200 OK response is received by the client with some (empty) > HTML from google.com. > If the following curl command is issued instead > {noformat} > $ curl -v -X PUT http://localhost:8080/ > {noformat} > One will see that TS sends back a 403 Access Denied as expected. -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Commented] (TS-1981) Url remap method filtering is broken with invalid method
[ https://issues.apache.org/jira/browse/TS-1981?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13715561#comment-13715561 ] Alan M. Carroll commented on TS-1981: - I have tried to review the patch but I can not make any sense of the original code. As far as I can tell, it de facto only checks if any of the filter rules have an allow_flag set to false. The matching has no apparent effect. In line 888, client_enabled is set based on allow_flag for rules that did *not* match. A few lines earlier, this is done for lines that *did* match. So what's the point of matching? Also, why doesn't the loop condition have "&& client_enabled", since once that gets set false it can never get set back? > Url remap method filtering is broken with invalid method > > > Key: TS-1981 > URL: https://issues.apache.org/jira/browse/TS-1981 > Project: Traffic Server > Issue Type: Bug > Components: Configuration, Security >Reporter: Thach Tran >Assignee: Alan M. Carroll > Fix For: 3.5.0 > > Attachments: > 0001-TS-1981-Fix-method-filtering-to-deny-invalid-methods.patch > > > ACL filtering based on HTTP's method is ignored if method received from > client is invalid. > To reproduce, with the default 8080 {{server_ports}} configure the > {{remap.conf}} as follows. > {noformat} > map http://localhost:8080/ http://www.google.com/ @method=GET > {noformat} > Then run the following curl command. > {noformat} > $ curl -v -X AA http://localhost:8080/ > {noformat} > Notice that a 200 OK response is received by the client with some (empty) > HTML from google.com. > If the following curl command is issued instead > {noformat} > $ curl -v -X PUT http://localhost:8080/ > {noformat} > One will see that TS sends back a 403 Access Denied as expected. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (TS-1981) Url remap method filtering is broken with invalid method
[ https://issues.apache.org/jira/browse/TS-1981?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13715496#comment-13715496 ] Thach Tran commented on TS-1981: Thank you for the review and I am terribly sorry for the carelessness. What I meant in that condition is {noformat} if (!(i >= 0 && i < ACL_FILTER_MAX_METHODS) || method_idx[i] != method) {noformat} > Url remap method filtering is broken with invalid method > > > Key: TS-1981 > URL: https://issues.apache.org/jira/browse/TS-1981 > Project: Traffic Server > Issue Type: Bug > Components: Configuration, Security >Reporter: Thach Tran >Assignee: Alan M. Carroll > Fix For: 3.5.0 > > Attachments: > 0001-TS-1981-Fix-method-filtering-to-deny-invalid-methods.patch > > > ACL filtering based on HTTP's method is ignored if method received from > client is invalid. > To reproduce, with the default 8080 {{server_ports}} configure the > {{remap.conf}} as follows. > {noformat} > map http://localhost:8080/ http://www.google.com/ @method=GET > {noformat} > Then run the following curl command. > {noformat} > $ curl -v -X AA http://localhost:8080/ > {noformat} > Notice that a 200 OK response is received by the client with some (empty) > HTML from google.com. > If the following curl command is issued instead > {noformat} > $ curl -v -X PUT http://localhost:8080/ > {noformat} > One will see that TS sends back a 403 Access Denied as expected. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (TS-1981) Url remap method filtering is broken with invalid method
[ https://issues.apache.org/jira/browse/TS-1981?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13715352#comment-13715352 ] Alan M. Carroll commented on TS-1981: - The conditional at 34 looks wrong - it verifies the index is valid or the rp->method_idx, only checking the latter when the index is *out* of range. Also, it will never match if the method is within the valid filter methods. > Url remap method filtering is broken with invalid method > > > Key: TS-1981 > URL: https://issues.apache.org/jira/browse/TS-1981 > Project: Traffic Server > Issue Type: Bug > Components: Configuration, Security >Reporter: Thach Tran >Assignee: Alan M. Carroll > Fix For: 3.3.5 > > Attachments: > 0001-TS-1981-Fix-method-filtering-to-deny-invalid-methods.patch > > > ACL filtering based on HTTP's method is ignored if method received from > client is invalid. > To reproduce, with the default 8080 {{server_ports}} configure the > {{remap.conf}} as follows. > {noformat} > map http://localhost:8080/ http://www.google.com/ @method=GET > {noformat} > Then run the following curl command. > {noformat} > $ curl -v -X AA http://localhost:8080/ > {noformat} > Notice that a 200 OK response is received by the client with some (empty) > HTML from google.com. > If the following curl command is issued instead > {noformat} > $ curl -v -X PUT http://localhost:8080/ > {noformat} > One will see that TS sends back a 403 Access Denied as expected. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira