The issue is not reproducible using "vanilla" OM This means it is caused by your proxy server (apache, nginx etc.)
so you have to enable detailed logs at your proxy server especially rewrite related logs On Fri, Jul 28, 2017 at 11:14 AM, Coscend@OM <[email protected]> wrote: > Dear Maxim, > > > > To insert loggers and print stack traces, could you guide us as follows? > > > > Upon parsing through code, we realized that the security header filters > (perhaps backported from 4.0.0) are > > -declared and instantiated in Application.java and > > -a few initialized in OpenmeetingsVariables.java. > > From where could we diff the new code of CVE-2017-76**, e.g., for CSRF, > XSS, click-jacking, and MIME attacks? We could not find JIRA issues so > that we could review the diff. > > > > Should this thread be deemed to belong to dev@..., please post it > accordingly. > > Thank you. > > > > Sincerely, > > > > Hemant K. Sabat > > > > Coscend Communications Solutions > > www.Coscend.com <http://www.coscend.com/> > > ------------------------------------------------------------------ > > *Real-time, Interactive Video Collaboration, Tele-healthcare, > Tele-education, Telepresence Services, on the fly…* > > ------------------------------------------------------------------ > > CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail > Messages from Coscend Communications Solutions' posted at: > http://www.Coscend.com/Terms_and_Conditions.html > <http://www.coscend.com/Terms_and_Conditions.html> > > > > *From:* Maxim Solodovnik [mailto:[email protected]] > *Sent:* Thursday, July 27, 2017 8:32 PM > *To:* Openmeetings user-list <[email protected]>; > [email protected] > *Subject:* Re: OM 3.3.0: IllegalArgumentException Upon Entering Room via > Proxy Server > > > > Hello Hemant, > > > > Since it works without proxy, I guess the issue with proxy rules > > I believe you need to enable maximum logging for mod_rewrite and check > what is being rewrited ... > > > > On Fri, Jul 28, 2017 at 2:44 AM, Coscend@OM <[email protected]> > wrote: > > Dear OpenMeetings Community, > > Your guidance on how to resolve the following two issues would be > appreciated. > > ===== > > Issue > > ------- > > Through the proxy server, we are able to login to OpenMeetings. Upon > entering room, it gives > > Error 204, 556, 642 (see attached). > > NetConnection. Failed. > > No feature in the room works. > > If we bypass proxy server, OpenMeetings works seamlessly. No > customization has been done. What could be causing this error? > > Causes > > -------- > > 1. INFO: Error parsing HTTP request header > > java.lang.IllegalArgumentException: Invalid character found in method > name. HTTP method names must be tokens > > 2. Security framework of XStream not initialized, XStream is probably > vulnerable. > > Is this just a warning or code fault? > > > > ------------------- > > Relevant Logs > > ------------------- > > ...[snipped] > > Security framework of XStream not initialized, XStream is probably > vulnerable. > > ...[snipped] > > Jul 27, 2017 1:22:41 PM org.apache.coyote.http11.Http11Processor service > > INFO: Error parsing HTTP request header > > Note: further occurrences of HTTP header parsing errors will be logged at > DEBUG level. > > java.lang.IllegalArgumentException: Invalid character found in method > name. HTTP method names must be tokens > > at org.apache.coyote.http11.Http11InputBuffer.parseRequestLine( > Http11InputBuffer.java:422) > > at org.apache.coyote.http11.Http11Processor.service( > Http11Processor.java:667) > > at org.apache.coyote.AbstractProcessorLight.process( > AbstractProcessorLight.java:66) > > at org.apache.coyote.AbstractProtocol$ConnectionHandler.process( > AbstractProtocol.java:798) > > at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor. > doRun(NioEndpoint.java:1441) > > at org.apache.tomcat.util.net.SocketProcessorBase.run( > SocketProcessorBase.java:49) > > at java.util.concurrent.ThreadPoolExecutor.runWorker( > ThreadPoolExecutor.java:1149) > > at java.util.concurrent.ThreadPoolExecutor$Worker.run( > ThreadPoolExecutor.java:624) > > at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run( > TaskThread.java:61) > > at java.lang.Thread.run(Thread.java:748) > > [INFO] [http-nio-10.10.10.105-6083-exec-2] > org.apache.coyote.http11.Http11Processor > - Error parsing HTTP request header > > Note: further occurrences of HTTP header parsing errors will be logged at > DEBUG level. > > java.lang.IllegalArgumentException: Invalid character found in method > name. HTTP method names must be tokens > > at org.apache.coyote.http11.Http11InputBuffer.parseRequestLine( > Http11InputBuffer.java:422) > > at org.apache.coyote.http11.Http11Processor.service( > Http11Processor.java:667) > > at org.apache.coyote.AbstractProcessorLight.process( > AbstractProcessorLight.java:66) > > at org.apache.coyote.AbstractProtocol$ConnectionHandler.process( > AbstractProtocol.java:798) > > at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor. > doRun(NioEndpoint.java:1441) > > at org.apache.tomcat.util.net.SocketProcessorBase.run( > SocketProcessorBase.java:49) > > at java.util.concurrent.ThreadPoolExecutor.runWorker( > ThreadPoolExecutor.java:1149) > > at java.util.concurrent.ThreadPoolExecutor$Worker.run( > ThreadPoolExecutor.java:624) > > at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run( > TaskThread.java:61) > > at java.lang.Thread.run(Thread.java:748) > > Jul 27, 2017 1:22:41 PM org.apache.coyote.http11.Http11Processor service > > INFO: Error parsing HTTP request header > > Note: further occurrences of HTTP header parsing errors will be logged at > DEBUG level. > > java.lang.IllegalArgumentException: Invalid character found in method > name. HTTP method names must be tokens > > at org.apache.coyote.http11.Http11InputBuffer.parseRequestLine( > Http11InputBuffer.java:422) > > at org.apache.coyote.http11.Http11Processor.service( > Http11Processor.java:667) > > at org.apache.coyote.AbstractProcessorLight.process( > AbstractProcessorLight.java:66) > > at org.apache.coyote.AbstractProtocol$ConnectionHandler.process( > AbstractProtocol.java:798) > > at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor. > doRun(NioEndpoint.java:1441) > > at org.apache.tomcat.util.net.SocketProcessorBase.run( > SocketProcessorBase.java:49) > > at java.util.concurrent.ThreadPoolExecutor.runWorker( > ThreadPoolExecutor.java:1149) > > at java.util.concurrent.ThreadPoolExecutor$Worker.run( > ThreadPoolExecutor.java:624) > > at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run( > TaskThread.java:61) > > at java.lang.Thread.run(Thread.java:748) > > [INFO] [http-nio-10.10.10.105-6083-exec-9] > org.apache.coyote.http11.Http11Processor > - Error parsing HTTP request header > > Note: further occurrences of HTTP header parsing errors will be logged at > DEBUG level. > > java.lang.IllegalArgumentException: Invalid character found in method > name. HTTP method names must be tokens > > at org.apache.coyote.http11.Http11InputBuffer.parseRequestLine( > Http11InputBuffer.java:422) > > at org.apache.coyote.http11.Http11Processor.service( > Http11Processor.java:667) > > at org.apache.coyote.AbstractProcessorLight.process( > AbstractProcessorLight.java:66) > > at org.apache.coyote.AbstractProtocol$ConnectionHandler.process( > AbstractProtocol.java:798) > > at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor. > doRun(NioEndpoint.java:1441) > > at org.apache.tomcat.util.net.SocketProcessorBase.run( > SocketProcessorBase.java:49) > > at java.util.concurrent.ThreadPoolExecutor.runWorker( > ThreadPoolExecutor.java:1149) > > at java.util.concurrent.ThreadPoolExecutor$Worker.run( > ThreadPoolExecutor.java:624) > > at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run( > TaskThread.java:61) > > at java.lang.Thread.run(Thread.java:748) > > << OLE Object: Picture (Device Independent Bitmap) >> > > Sincerely, > > Hemant K. Sabat > > > > Coscend Communications Solutions > > www.Coscend.com <http://www.coscend.com/> > > ------------------------------------------------------------------ > > *Real-time, Interactive Video Collaboration, Tele-healthcare, > Tele-education, Telepresence Services, on the fly…* > > ------------------------------------------------------------------ > > CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail > Messages from Coscend Communications Solutions' posted at: > http://www.Coscend.com/Terms_and_Conditions.html > <http://www.coscend.com/Terms_and_Conditions.html> > > > > > <http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient> > > Virus-free. www.avg.com > <http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient> > > > > > > -- > > WBR > Maxim aka solomax > -- WBR Maxim aka solomax
