Updated patch attached; comments inline. On Mon, Jan 11, 2016 at 01:11:24PM -0600, Endi Sukma Dewata wrote: > On 11/4/2015 11:22 PM, Fraser Tweedale wrote: > >The attached patch fixes GET-based OCSP requests, > >https://fedorahosted.org/pki/ticket/1658 > > > >Cheers, > >Fraser > > Some comments: > > 1. The ALLOW_ENCODED_SLASH parameter will fix the problem, but there's a > security concern: > > http://tomcat.apache.org/tomcat-7.0-doc/security-howto.html > > The org.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH and > org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH system properties > allow non-standard parsing of the request URI. Using these options when > behind a reverse proxy may enable an attacker to bypass any security > constraints enforced by the proxy. > > However, since we are not dependent on a proxy to protect PKI pages in > Tomcat (we have our own ACL in PKI) I suppose this is not an issue, unless > anybody else has a concern. > I do not see a vulnerability - AFAICT the vulnerability was from proxies enforcing path-based access control but parsed path differently, which as you point out is not our situation. Hopefully we are not overlooking something.
> 2. I think the catalina.properties that needs to be modified is in > base/server/share/conf. The others are duplicates that should've been > removed. > Patch updated. I'll send another patch removing the obsolete catalina.properties files soon. > 3. During deployment the catalina.properties is copied into <instance > dir>/conf. So if we want to fix existing instances we need to write an > upgrade script. > Added an upgrade script. Thanks for reviewing! Fraser
From e4cd7e5974e1be74ac4d360eb881e73b7d5142cc Mon Sep 17 00:00:00 2001 From: Fraser Tweedale <ftwee...@redhat.com> Date: Thu, 5 Nov 2015 00:17:24 -0500 Subject: [PATCH] Allow encoded slashes in HTTP paths Properly formed GET-based OCSP requests can contain URL-encoded slashes in the HTTP path[1] but our Tomcat configuration does not permit this (returns 400 Bad Request). Change catalina.properties to allow URL-encoded slashes in HTTP paths. [1] https://tools.ietf.org/html/rfc6960#appendix-A.1 Also add an upgrade script to update catalina.properties in existing instances. Fixes: https://fedorahosted.org/pki/ticket/1658 --- base/server/share/conf/catalina.properties | 2 ++ base/server/upgrade/10.3.0/01-AllowEncodedSlash | 37 +++++++++++++++++++++++++ 2 files changed, 39 insertions(+) create mode 100755 base/server/upgrade/10.3.0/01-AllowEncodedSlash diff --git a/base/server/share/conf/catalina.properties b/base/server/share/conf/catalina.properties index 003089a4310455f68c067ccf669123e37a568fe3..2199a78d881da214130f05d186819a043b5e7ee2 100644 --- a/base/server/share/conf/catalina.properties +++ b/base/server/share/conf/catalina.properties @@ -123,3 +123,5 @@ tomcat.util.buf.StringCache.byte.enabled=true #tomcat.util.buf.StringCache.char.enabled=true #tomcat.util.buf.StringCache.trainThreshold=500000 #tomcat.util.buf.StringCache.cacheSize=5000 + +org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true diff --git a/base/server/upgrade/10.3.0/01-AllowEncodedSlash b/base/server/upgrade/10.3.0/01-AllowEncodedSlash new file mode 100755 index 0000000000000000000000000000000000000000..3225d3a7e754e629eb42b1612684695856720134 --- /dev/null +++ b/base/server/upgrade/10.3.0/01-AllowEncodedSlash @@ -0,0 +1,37 @@ +#!/usr/bin/python +# Authors: +# Fraser Tweedale <ftwee...@redhat.com> +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2016 Red Hat, Inc. +# All rights reserved. + +from __future__ import absolute_import +import os.path +import pki.server.upgrade + +class AllowEncodedSlash(pki.server.upgrade.PKIServerUpgradeScriptlet): + + def __init__(self): + super(AllowEncodedSlash, self).__init__() + self.message = 'Enable Tomcat ALLOW_ENCODED_SLASH parameter' + + def upgrade_instance(self, instance): + path = os.path.join(instance.base_dir, 'conf', 'catalina.properties') + if os.path.isfile(path): + with open(path, 'a+') as f: + data = f.read() + if 'ALLOW_ENCODED_SLASH=' not in data: + f.write('\norg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true\n') -- 2.5.0
_______________________________________________ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel