-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Mark,
On 6/2/20 11:44, Mark Thomas wrote: > On 02/06/2020 16:37, Christopher Schultz wrote: >> Mark, >> >> On 6/2/20 06:24, ma...@apache.org wrote: >>> This is an automated email from the ASF dual-hosted git >>> repository. >> >>> markt pushed a commit to branch master in repository >>> https://gitbox.apache.org/repos/asf/tomcat.git >> >> >>> The following commit(s) were added to refs/heads/master by >>> this push: new 186aae3 Fix BZ 64483 Log a warning when an AJP >>> request is rejected 186aae3 is described below >> >>> commit 186aae31791ea120cf1b4ddd2f9fcb974bd1d5f9 Author: Mark >>> Thomas <ma...@apache.org> AuthorDate: Tue Jun 2 11:22:35 2020 >>> +0100 >> >>> Fix BZ 64483 Log a warning when an AJP request is rejected --- >>> java/org/apache/coyote/ajp/AjpProcessor.java | 14 >>> ++++---------- >>> java/org/apache/coyote/ajp/LocalStrings.properties | 1 + >>> webapps/docs/changelog.xml | 4 ++++ 3 >>> files changed, 9 insertions(+), 10 deletions(-) >> >>> diff --git a/java/org/apache/coyote/ajp/AjpProcessor.java >>> b/java/org/apache/coyote/ajp/AjpProcessor.java index >>> d24a818..77d6a94 100644 --- >>> a/java/org/apache/coyote/ajp/AjpProcessor.java +++ >>> b/java/org/apache/coyote/ajp/AjpProcessor.java @@ -30,7 +30,6 >>> @@ import java.util.HashMap; import java.util.HashSet; import >>> java.util.Map; import java.util.Set; -import >>> java.util.regex.Matcher; import java.util.regex.Pattern; >> >>> import jakarta.servlet.http.HttpServletResponse; @@ -779,17 >>> +778,12 @@ public class AjpProcessor extends AbstractProcessor >>> { // All 'known' attributes will be processed by the previous >>> // blocks. Any remaining attribute is an 'arbitrary' one. >>> Pattern pattern = >>> protocol.getAllowedRequestAttributesPatternInternal(); - if >>> (pattern == null) { + if (pattern != null >>> && pattern.matcher(n).matches()) { + request.setAttribute(n, >>> v); + } else { + >>> log.warn(sm.getString("ajpprocessor.unknownAttribute", n)); >>> response.setStatus(403); setErrorState(ErrorState.CLOSE_CLEAN, >>> null); >> >> Possible DOS by spamming the log file? >> >> I suppose you can DOS by filling the access log, too :/ > > How? This is AJP. Exposed endpoint. *shrug* I understand that this was added to make debugging of secured-endpoints easier (so the owner can whitelist whatever they seem to have forgotten) but anyone spamming the AJP port can cause a lot of output. This would be similar to sending malformed HTTP requests, which we currently log a single time and then subsequent errors are logged "at debug level" so you can at least disable them for production. - -chris -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl7WdvgACgkQHPApP6U8 pFhbtxAAlbaqmiPAMduW/gJrHIbL/FWvO7CgxSeUCbVMTo5mJmEZfJseiu/8jIMJ 8oejSRodPGeQhy8bdhelI3btQ69j5FYoXhN1Xn5A1vfEHP2EgsZj1hMp8FklYSo6 XJBqG+mpbASOvQS8iDhwX3S6mNrhOLZYhDO6otQ1mTz3MIbquK8fvMNxvltmmti6 gXyag9WwBY/Ln1M3vn7VcYAbY5NrhnR8QQn8BJq2FVWxxXeuhJV8CJeV860/0kkl MufKzLKt7xEyWp4Bd+iH0qOpWdib57vjXSzPc6DQw7LU0npOO68kcRc1H8RIqqjY GuL8m1LX4OuBJZ0S7JkOH3EpPwQrM9QkUHkKyR3XYFKOHiAJx1YHWSAJczFG8CWH Iu+E9Rc1bcLSe+9UbvTkNEj/nie2JiDNa+DV+xL56tnkHlAMn1uULwAUE9aff827 amiLosBInW0QvzqwPV0CA/WbIkdNxAOjI2mqYETxuBeFKHdGVdCtY/bDfhrLenT3 GYA88fNiWaRGkJHWRFaBrTpFlV5h/zgBygEPwazL/dXVXk46IR7viOfRugGipbE+ YiyJMVFR/TbkNN2CIm9zymHBhOwSe3cgUTasSNn5jucU2kWrp2qiVE+6jtlMpWtt zIyt8y8IxxOyNXgo7kaVMboixYrgH5aZYlgGcde6IMCNn1Q898M= =iDD7 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
