On 02/06/2020 16:57, Christopher Schultz wrote: > Mark, > > On 6/2/20 11:44, Mark Thomas wrote: >> On 02/06/2020 16:37, Christopher Schultz wrote: >>> Mark, >>> >>> On 6/2/20 06:24, ma...@apache.org wrote: >>>> This is an automated email from the ASF dual-hosted git >>>> repository. >>> >>>> markt pushed a commit to branch master in repository >>>> https://gitbox.apache.org/repos/asf/tomcat.git >>> >>> >>>> The following commit(s) were added to refs/heads/master by >>>> this push: new 186aae3 Fix BZ 64483 Log a warning when an AJP >>>> request is rejected 186aae3 is described below >>> >>>> commit 186aae31791ea120cf1b4ddd2f9fcb974bd1d5f9 Author: Mark >>>> Thomas <ma...@apache.org> AuthorDate: Tue Jun 2 11:22:35 2020 >>>> +0100 >>> >>>> Fix BZ 64483 Log a warning when an AJP request is rejected --- >>>> java/org/apache/coyote/ajp/AjpProcessor.java | 14 >>>> ++++---------- >>>> java/org/apache/coyote/ajp/LocalStrings.properties | 1 + >>>> webapps/docs/changelog.xml | 4 ++++ 3 >>>> files changed, 9 insertions(+), 10 deletions(-) >>> >>>> diff --git a/java/org/apache/coyote/ajp/AjpProcessor.java >>>> b/java/org/apache/coyote/ajp/AjpProcessor.java index >>>> d24a818..77d6a94 100644 --- >>>> a/java/org/apache/coyote/ajp/AjpProcessor.java +++ >>>> b/java/org/apache/coyote/ajp/AjpProcessor.java @@ -30,7 +30,6 >>>> @@ import java.util.HashMap; import java.util.HashSet; import >>>> java.util.Map; import java.util.Set; -import >>>> java.util.regex.Matcher; import java.util.regex.Pattern; >>> >>>> import jakarta.servlet.http.HttpServletResponse; @@ -779,17 >>>> +778,12 @@ public class AjpProcessor extends AbstractProcessor >>>> { // All 'known' attributes will be processed by the previous >>>> // blocks. Any remaining attribute is an 'arbitrary' one. >>>> Pattern pattern = >>>> protocol.getAllowedRequestAttributesPatternInternal(); - if >>>> (pattern == null) { + if (pattern != null >>>> && pattern.matcher(n).matches()) { + request.setAttribute(n, >>>> v); + } else { + >>>> log.warn(sm.getString("ajpprocessor.unknownAttribute", n)); >>>> response.setStatus(403); setErrorState(ErrorState.CLOSE_CLEAN, >>>> null); >>> >>> Possible DOS by spamming the log file? >>> >>> I suppose you can DOS by filling the access log, too :/ > >> How? This is AJP. > > Exposed endpoint. *shrug* > > I understand that this was added to make debugging of > secured-endpoints easier (so the owner can whitelist whatever they > seem to have forgotten) but anyone spamming the AJP port can cause a > lot of output.
Ah. I thought the secret was checked earlier than it is. > This would be similar to sending malformed HTTP requests, which we > currently log a single time and then subsequent errors are logged "at > debug level" so you can at least disable them for production. I'm still in favour of leaving this as it is for multiple reasons: - If users have exposed an AJP port to the public internet and are getting spammed / attacked they need to know. - A misconfigured "private" Connector is far more likely than a correctly secured "public" one - In terms of load it should be no worse than the access log (which is only noticeable when you load test on local host with a trivial servlet). There is no exception generated here which is the more usual source of load in these scenarios. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
