Christopher Schultz <ch...@christopherschultz.net> wrote: >> Well yeah, it’s not like Envoy is a super niche proxy. We also found >> the exact same issue in two other proxies in our network by the way. >> Any proxy that does not consider path parameters when doing >> path-based access control will have this issue when combined with a >> server that does support them. > This statement can be generalized to the following: > > "When HTTP proxies and origin-servers disagree about how to process > requests (specifically their URLs), Bad Things can happen." > > I would expect most proxies to behave the way that Envoy evidently does: > pass-through the URL in the request to the origin server. It's kind of a > requirement of the HTTP spec(s).
That’s also what I expected. The issue is not about the URL that is passed on, but the way path access rules are evaluated. > On the other hand, if you are applying a security-constraint at the > proxy layer, I would expect that the server would at least explain how > path-parameters are handled/normalized/removed/resolved/etc. Either > Envoy doesn't publish that information, or you didn't read that section > of the manual. We’ve been in contacted with the Envoy people as well. Currently Envoy has no concept of path parameters, which is why the combination of Envoy with path access rules and Tomcat is vulnerable. But it seems that based on this thread Envoy might start ignoring path parameters when doing path access checks. > There may even be a setting like > normalize-URLs-to-be-proxied-for-authorization-checks or something like > that. Or maybe not. They are already normalized for the check, but without considering path parameters, which makes the system vulnerable. The normalization is only for the access check. If deemed allowed the URL is passed on unmodified from the original request AFAIK. > But again, if the proxy and origin disagree, you'd better know the > details and plan for them. So we’ve learned now, yes. Nils. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
