changelog.xml

markt Fri, 19 Aug 2016 09:56:59 -0700

Author: markt
Date: Fri Aug 19 16:56:33 2016
New Revision: 1756940

URL: http://svn.apache.org/viewvc?rev=1756940&view=rev
Log:
Add a new initialisation parameter, envHttpHeaders, to the CGI Servlet to 
mitigate httpoxy (CVE-2016-5388) by default and to provide a mechanism that can 
be used to mitigate any future, similar issues.


Modified:
    tomcat/tc8.5.x/trunk/   (props changed)
    tomcat/tc8.5.x/trunk/conf/web.xml
    tomcat/tc8.5.x/trunk/java/org/apache/catalina/servlets/CGIServlet.java
    tomcat/tc8.5.x/trunk/webapps/docs/cgi-howto.xml
    tomcat/tc8.5.x/trunk/webapps/docs/changelog.xml

Propchange: tomcat/tc8.5.x/trunk/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Fri Aug 19 16:56:33 2016
@@ -1 +1 @@
-/tomcat/trunk:1734785,1734799,1734845,1734928,1735041,1735044,1735480,1735577,1735597,1735599-1735600,1735615,1736145,1736162,1736209,1736280,1736297,1736299,1736489,1736646,1736703,1736836,1736849,1737104-1737105,1737112,1737117,1737119-1737120,1737155,1737157,1737192,1737280,1737339,1737632,1737664,1737715,1737748,1737785,1737834,1737860,1737903,1737959,1738005,1738007,1738014-1738015,1738018,1738022,1738039,1738043,1738059-1738060,1738147,1738149,1738174-1738175,1738261,1738589,1738623-1738625,1738643,1738816,1738850,1738855,1738946-1738948,1738953-1738954,1738979,1738982,1739079-1739081,1739087,1739113,1739153,1739172,1739176,1739191,1739474,1739726,1739762,1739775,1739814,1739817-1739818,1739975,1740131,1740324,1740465,1740495,1740508-1740509,1740520,1740535,1740707,1740803,1740810,1740969,1740980,1740991,1740997,1741015,1741033,1741036,1741058,1741060,1741080,1741147,1741159,1741164,1741173,1741181,1741190,1741197,1741202,1741208,1741213,1741221,1741225,1741232,1741409,1741501
 
,1741677,1741892,1741896,1741984,1742023,1742042,1742071,1742090,1742093,1742101,1742105,1742111,1742139,1742146,1742148,1742166,1742181,1742184,1742187,1742246,1742248-1742251,1742263-1742264,1742268,1742276,1742369,1742387,1742448,1742509-1742512,1742917,1742919,1742933,1742975-1742976,1742984,1742986,1743019,1743115,1743117,1743124-1743125,1743134,1743425,1743554,1743679,1743696-1743698,1743700-1743701,1744058,1744064-1744065,1744125,1744194,1744229,1744270,1744323,1744432,1744684,1744697,1744705,1744713,1744760,1744786,1745083,1745142-1745143,1745145,1745177,1745179-1745180,1745227,1745248,1745254,1745337,1745467,1745473,1745576,1745735,1745744,1746304,1746306-1746307,1746319,1746327,1746338,1746340-1746341,1746344,1746427,1746441,1746473,1746490,1746492,1746495-1746496,1746499-1746501,1746503-1746507,1746509,1746549,1746551,1746554,1746556,1746558,1746584,1746620,1746649,1746724,1746939,1746989,1747014,1747028,1747035,1747210,1747225,1747234,1747253,1747404,1747506,1747536,1747
 
924,1747980,1747993,1748001,1748253,1748452,1748547,1748629,1748676,1748715,1749287,1749296,1749328,1749373,1749465,1749506,1749508,1749665-1749666,1749763,1749865-1749866,1749898,1749978,1749980,1750011,1750015,1750056,1750480,1750617,1750634,1750692,1750697,1750700,1750703,1750707,1750714,1750718,1750723,1750774,1750899,1750975,1750995,1751061,1751097,1751173,1751438,1751447,1751463,1751702,1752212,1752737,1752745,1753078,1753080,1753358,1753363,1754111,1754140-1754141,1754281,1754310,1754445,1754467,1754494,1754496,1754528,1754532-1754533,1754613,1754714,1754874,1754941,1754944,1754950-1754951,1755005,1755007,1755009,1755132,1755180-1755181,1755185,1755190,1755204-1755206,1755208,1755214,1755224,1755227,1755230,1755629,1755646-1755647,1755650,1755653,1755675,1755680,1755683,1755693,1755717,1755731-1755737,1755812,1755828,1755884,1755890,1755918-1755919,1755942,1755958,1755960,1755970,1755993,1756013,1756019,1756039,1756056,1756083-1756114,1756175,1756288-1756289,1756408-1756410,1
 756778,1756798,1756878,1756898
+/tomcat/trunk:1734785,1734799,1734845,1734928,1735041,1735044,1735480,1735577,1735597,1735599-1735600,1735615,1736145,1736162,1736209,1736280,1736297,1736299,1736489,1736646,1736703,1736836,1736849,1737104-1737105,1737112,1737117,1737119-1737120,1737155,1737157,1737192,1737280,1737339,1737632,1737664,1737715,1737748,1737785,1737834,1737860,1737903,1737959,1738005,1738007,1738014-1738015,1738018,1738022,1738039,1738043,1738059-1738060,1738147,1738149,1738174-1738175,1738261,1738589,1738623-1738625,1738643,1738816,1738850,1738855,1738946-1738948,1738953-1738954,1738979,1738982,1739079-1739081,1739087,1739113,1739153,1739172,1739176,1739191,1739474,1739726,1739762,1739775,1739814,1739817-1739818,1739975,1740131,1740324,1740465,1740495,1740508-1740509,1740520,1740535,1740707,1740803,1740810,1740969,1740980,1740991,1740997,1741015,1741033,1741036,1741058,1741060,1741080,1741147,1741159,1741164,1741173,1741181,1741190,1741197,1741202,1741208,1741213,1741221,1741225,1741232,1741409,1741501
 
,1741677,1741892,1741896,1741984,1742023,1742042,1742071,1742090,1742093,1742101,1742105,1742111,1742139,1742146,1742148,1742166,1742181,1742184,1742187,1742246,1742248-1742251,1742263-1742264,1742268,1742276,1742369,1742387,1742448,1742509-1742512,1742917,1742919,1742933,1742975-1742976,1742984,1742986,1743019,1743115,1743117,1743124-1743125,1743134,1743425,1743554,1743679,1743696-1743698,1743700-1743701,1744058,1744064-1744065,1744125,1744194,1744229,1744270,1744323,1744432,1744684,1744697,1744705,1744713,1744760,1744786,1745083,1745142-1745143,1745145,1745177,1745179-1745180,1745227,1745248,1745254,1745337,1745467,1745473,1745576,1745735,1745744,1746304,1746306-1746307,1746319,1746327,1746338,1746340-1746341,1746344,1746427,1746441,1746473,1746490,1746492,1746495-1746496,1746499-1746501,1746503-1746507,1746509,1746549,1746551,1746554,1746556,1746558,1746584,1746620,1746649,1746724,1746939,1746989,1747014,1747028,1747035,1747210,1747225,1747234,1747253,1747404,1747506,1747536,1747
 
924,1747980,1747993,1748001,1748253,1748452,1748547,1748629,1748676,1748715,1749287,1749296,1749328,1749373,1749465,1749506,1749508,1749665-1749666,1749763,1749865-1749866,1749898,1749978,1749980,1750011,1750015,1750056,1750480,1750617,1750634,1750692,1750697,1750700,1750703,1750707,1750714,1750718,1750723,1750774,1750899,1750975,1750995,1751061,1751097,1751173,1751438,1751447,1751463,1751702,1752212,1752737,1752745,1753078,1753080,1753358,1753363,1754111,1754140-1754141,1754281,1754310,1754445,1754467,1754494,1754496,1754528,1754532-1754533,1754613,1754714,1754874,1754941,1754944,1754950-1754951,1755005,1755007,1755009,1755132,1755180-1755181,1755185,1755190,1755204-1755206,1755208,1755214,1755224,1755227,1755230,1755629,1755646-1755647,1755650,1755653,1755675,1755680,1755683,1755693,1755717,1755731-1755737,1755812,1755828,1755884,1755890,1755918-1755919,1755942,1755958,1755960,1755970,1755993,1756013,1756019,1756039,1756056,1756083-1756114,1756175,1756288-1756289,1756408-1756410,1
 756778,1756798,1756878,1756898,1756939

Modified: tomcat/tc8.5.x/trunk/conf/web.xml
URL: 
http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/conf/web.xml?rev=1756940&r1=1756939&r2=1756940&view=diff
==============================================================================
--- tomcat/tc8.5.x/trunk/conf/web.xml (original)
+++ tomcat/tc8.5.x/trunk/conf/web.xml Fri Aug 19 16:56:33 2016
@@ -334,6 +334,15 @@
   <!--   executable           Name of the executable used to run the        -->
   <!--                        script. [perl]                                -->
   <!--                                                                      -->
+  <!--   envHttpHeaders       A regular expression used to select the HTTP  -->
+  <!--                        headers passed to the CGI process as          -->
+  <!--                        environment variables. Note that headers are  -->
+  <!--                        converted to upper case before matching and   -->
+  <!--                        that the entire header name must match the    -->
+  <!--                        pattern.                                      -->
+  <!--                        [ACCEPT[-0-9A-Z]*|CACHE-CONTROL|COOKIE|HOST|  -->
+  <!--                         IF-[-0-9A-Z]*|REFERER|USER-AGENT]            -->
+  <!--                                                                      -->
   <!--   parameterEncoding    Name of parameter encoding to be used with    -->
   <!--                        CGI servlet.                                  -->
   <!--                        [System.getProperty("file.encoding","UTF-8")] -->
@@ -353,7 +362,7 @@
           <param-name>cgiPathPrefix</param-name>
           <param-value>WEB-INF/cgi</param-value>
         </init-param>
-         <load-on-startup>5</load-on-startup>
+        <load-on-startup>5</load-on-startup>
     </servlet>
 -->
 

Modified: tomcat/tc8.5.x/trunk/java/org/apache/catalina/servlets/CGIServlet.java
URL: 
http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/java/org/apache/catalina/servlets/CGIServlet.java?rev=1756940&r1=1756939&r2=1756940&view=diff
==============================================================================
--- tomcat/tc8.5.x/trunk/java/org/apache/catalina/servlets/CGIServlet.java 
(original)
+++ tomcat/tc8.5.x/trunk/java/org/apache/catalina/servlets/CGIServlet.java Fri 
Aug 19 16:56:33 2016
@@ -35,6 +35,7 @@ import java.util.Locale;
 import java.util.Map.Entry;
 import java.util.StringTokenizer;
 import java.util.Vector;
+import java.util.regex.Pattern;
 
 import javax.servlet.RequestDispatcher;
 import javax.servlet.ServletConfig;
@@ -265,6 +266,16 @@ public final class CGIServlet extends Ht
      */
     private long stderrTimeout = 2000;
 
+    /**
+     * The regular expression used to select HTTP headers to be passed to the
+     * CGI process as environment variables. The name of the environment
+     * variable will be the name of the HTTP header converter to upper case,
+     * prefixed with <code>HTTP_</code> and with all <code>-</code> characters
+     * converted to <code>_</code>.
+     */
+    private Pattern envHttpHeadersPattern = Pattern.compile(
+            
"ACCEPT[-0-9A-Z]*|CACHE-CONTROL|COOKIE|HOST|IF-[-0-9A-Z]*|REFERER|USER-AGENT");
+
     /** object used to ensure multiple threads don't try to expand same file */
     private static final Object expandFileLock = new Object();
 
@@ -326,6 +337,10 @@ public final class CGIServlet extends Ht
                     "stderrTimeout"));
         }
 
+        if (getServletConfig().getInitParameter("envHttpHeaders") != null) {
+            envHttpHeadersPattern =
+                    
Pattern.compile(getServletConfig().getInitParameter("envHttpHeaders"));
+        }
     }
 
 
@@ -963,12 +978,8 @@ public final class CGIServlet extends Ht
                 //REMIND: rewrite multiple headers as if received as single
                 //REMIND: change character set
                 //REMIND: I forgot what the previous REMIND means
-                if ("AUTHORIZATION".equalsIgnoreCase(header) ||
-                    "PROXY_AUTHORIZATION".equalsIgnoreCase(header)) {
-                    //NOOP per CGI specification section 11.2
-                } else {
-                    envp.put("HTTP_" + header.replace('-', '_'),
-                             req.getHeader(header));
+                if (envHttpHeadersPattern.matcher(header).matches()) {
+                    envp.put("HTTP_" + header.replace('-', '_'), 
req.getHeader(header));
                 }
             }
 

Modified: tomcat/tc8.5.x/trunk/webapps/docs/cgi-howto.xml
URL: 
http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/webapps/docs/cgi-howto.xml?rev=1756940&r1=1756939&r2=1756940&view=diff
==============================================================================
--- tomcat/tc8.5.x/trunk/webapps/docs/cgi-howto.xml (original)
+++ tomcat/tc8.5.x/trunk/webapps/docs/cgi-howto.xml Fri Aug 19 16:56:33 2016
@@ -103,6 +103,12 @@ if your script is itself executable (e.g
 <li><strong>executable-arg-1</strong>, <strong>executable-arg-2</strong>,
 and so on - additional arguments for the executable. These precede the
 CGI script name. By default there are no additional arguments.</li>
+<li><strong>envHttpHeaders</strong> - A regular expression used to select the
+HTTP headers passed to the CGI process as environment variables. Note that
+headers are converted to upper case before matching and that the entire header
+name must match the pattern. Default is
+<code>ACCEPT[-0-9A-Z]*|CACHE-CONTROL|COOKIE|HOST|IF-[-0-9A-Z]*|REFERER|USER-AGENT</code>
+</li>
 <li><strong>parameterEncoding</strong> - Name of the parameter encoding
 to be used with the CGI servlet. Default is
 <code>System.getProperty("file.encoding","UTF-8")</code>. That is the system

Modified: tomcat/tc8.5.x/trunk/webapps/docs/changelog.xml
URL: 
http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/webapps/docs/changelog.xml?rev=1756940&r1=1756939&r2=1756940&view=diff
==============================================================================
--- tomcat/tc8.5.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc8.5.x/trunk/webapps/docs/changelog.xml Fri Aug 19 16:56:33 2016
@@ -146,6 +146,13 @@
         <code>StandardRoot</code> instance now invalidate the cache if caching
         is enabled. (markt)
       </fix>
+      <add>
+        Add a new initialisation parameter, <code>envHttpHeaders</code>, to
+        the CGI Servlet to mitigate <a href="https://httpoxy.org";>httpoxy</a>
+        (<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5388";
+        >CVE-2016-5388</a>) by default and to provide a mechanism that can be
+        used to mitigate any future, similar issues. (markt)
+      </add>
     </changelog>
   </subsection>
   <subsection name="Coyote">



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1756940 - in /tomcat/tc8.5.x/trunk: ./ conf/web.xml java/org/apache/catalina/servlets/CGIServlet.java webapps/docs/cgi-howto.xml webapps/docs/changelog.xml

Reply via email to