Dear Maxim,
To insert loggers and print stack traces, could you guide us as follows? Upon parsing through code, we realized that the security header filters (perhaps backported from 4.0.0) are -declared and instantiated in Application.java and -a few initialized in OpenmeetingsVariables.java. >From where could we diff the new code of CVE-2017-76**, e.g., for CSRF, XSS, >click-jacking, and MIME attacks? We could not find JIRA issues so that we >could review the diff. Should this thread be deemed to belong to dev@..., please post it accordingly. Thank you. Sincerely, Hemant K. Sabat Coscend Communications Solutions www.Coscend.com <http://www.coscend.com/> ------------------------------------------------------------------ Real-time, Interactive Video Collaboration, Tele-healthcare, Tele-education, Telepresence Services, on the fly… ------------------------------------------------------------------ CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail Messages from Coscend Communications Solutions' posted at: http://www.Coscend.com/Terms_and_Conditions.html From: Maxim Solodovnik [mailto:[email protected]] Sent: Thursday, July 27, 2017 8:32 PM To: Openmeetings user-list <[email protected]>; [email protected] Subject: Re: OM 3.3.0: IllegalArgumentException Upon Entering Room via Proxy Server Hello Hemant, Since it works without proxy, I guess the issue with proxy rules I believe you need to enable maximum logging for mod_rewrite and check what is being rewrited ... On Fri, Jul 28, 2017 at 2:44 AM, Coscend@OM <[email protected] <mailto:[email protected]> > wrote: Dear OpenMeetings Community, Your guidance on how to resolve the following two issues would be appreciated. ===== Issue ------- Through the proxy server, we are able to login to OpenMeetings. Upon entering room, it gives Error 204, 556, 642 (see attached). NetConnection. Failed. No feature in the room works. If we bypass proxy server, OpenMeetings works seamlessly. No customization has been done. What could be causing this error? Causes -------- 1. INFO: Error parsing HTTP request header java.lang.IllegalArgumentException: Invalid character found in method name. HTTP method names must be tokens 2. Security framework of XStream not initialized, XStream is probably vulnerable. Is this just a warning or code fault? ------------------- Relevant Logs ------------------- ...[snipped] Security framework of XStream not initialized, XStream is probably vulnerable. ...[snipped] Jul 27, 2017 1:22:41 PM org.apache.coyote.http11.Http11Processor service INFO: Error parsing HTTP request header Note: further occurrences of HTTP header parsing errors will be logged at DEBUG level. java.lang.IllegalArgumentException: Invalid character found in method name. HTTP method names must be tokens at org.apache.coyote.http11.Http11InputBuffer.parseRequestLine(Http11InputBuffer.java:422) at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:667) at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:798) at org.apache.tomcat.util.net <http://org.apache.tomcat.util.net> .NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1441) at org.apache.tomcat.util.net <http://org.apache.tomcat.util.net> .SocketProcessorBase.run(SocketProcessorBase.java:49) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:748) [INFO] [http-nio-10.10.10.105-6083-exec-2] org.apache.coyote.http11.Http11Processor - Error parsing HTTP request header Note: further occurrences of HTTP header parsing errors will be logged at DEBUG level. java.lang.IllegalArgumentException: Invalid character found in method name. HTTP method names must be tokens at org.apache.coyote.http11.Http11InputBuffer.parseRequestLine(Http11InputBuffer.java:422) at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:667) at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:798) at org.apache.tomcat.util.net <http://org.apache.tomcat.util.net> .NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1441) at org.apache.tomcat.util.net <http://org.apache.tomcat.util.net> .SocketProcessorBase.run(SocketProcessorBase.java:49) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:748) Jul 27, 2017 1:22:41 PM org.apache.coyote.http11.Http11Processor service INFO: Error parsing HTTP request header Note: further occurrences of HTTP header parsing errors will be logged at DEBUG level. java.lang.IllegalArgumentException: Invalid character found in method name. HTTP method names must be tokens at org.apache.coyote.http11.Http11InputBuffer.parseRequestLine(Http11InputBuffer.java:422) at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:667) at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:798) at org.apache.tomcat.util.net <http://org.apache.tomcat.util.net> .NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1441) at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:748) [INFO] [http-nio-10.10.10.105-6083-exec-9] org.apache.coyote.http11.Http11Processor - Error parsing HTTP request header Note: further occurrences of HTTP header parsing errors will be logged at DEBUG level. java.lang.IllegalArgumentException: Invalid character found in method name. HTTP method names must be tokens at org.apache.coyote.http11.Http11InputBuffer.parseRequestLine(Http11InputBuffer.java:422) at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:667) at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:798) at org.apache.tomcat.util.net <http://org.apache.tomcat.util.net> .NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1441) at org.apache.tomcat.util.net <http://org.apache.tomcat.util.net> .SocketProcessorBase.run(SocketProcessorBase.java:49) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:748) << OLE Object: Picture (Device Independent Bitmap) >> Sincerely, Hemant K. Sabat Coscend Communications Solutions <http://www.coscend.com/> www.Coscend.com ------------------------------------------------------------------ Real-time, Interactive Video Collaboration, Tele-healthcare, Tele-education, Telepresence Services, on the fly… ------------------------------------------------------------------ CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail Messages from Coscend Communications Solutions' posted at: <http://www.coscend.com/Terms_and_Conditions.html> http://www.Coscend.com/Terms_and_Conditions.html <http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient> Virus-free. <http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient> www.avg.com -- WBR Maxim aka solomax --- This email has been checked for viruses by AVG. http://www.avg.com
