On 22/06/2020 12:23, Yann Ylavic wrote:
On Mon, Jun 22, 2020 at 12:13 PM jean-frederic clere <jfcl...@gmail.com> wrote:
But there is still something I want to prevent:
ProxyPass /docs ajp://localhost:8009/docs
and url like:
curl -v --path-as-is "http://localhost:8000/docs/..;food=bar/test/index.jsp"
How do we do that? Do we want a 400 for that? (my proposal do that :-)).
Why would we 400?
Either there is a mapping for /test[/] and we'll be OK, or there is
none we'll be DECLINED.
For the moment I am getting a 200 and the test/index.jsp from tomcat...
Hmm, do you mean that mod_proxy (alias_match_servlet) forwards
http://localhost:8000/test/index.php in this case, even if there is no
mapping for "/test" ??
Yes :D
Well tomcat maps "http://localhost:8080/docs/..;food=bar/test/index.jsp"
to http://localhost:8080/test/index.jsp which looks bad if you only map
ProxyPass /docs ajp://localhost:8009/docs
In my testing it's not mapped, so it ends up being handled by the
default_handler() which returns 404.
The 400 will come only if no module handles the URI, and if the
default_handler() finds no "docs/..;food=bar/test/index.jsp" in the
path (where "..;foo=bar" is not considered a directory traversal in
this case).
ProxyPass /docs ajp://localhost:8009/docs
being mapped as /test/index.jsp (by tomcat) when you
query"http://localhost:8000/docs/..;food=bar/test/index.jsp" looks wrong
and should avoidable.
On my system, this runs smoothly:
$ mkdir -p 'docs/..;foo=bar/test'
$ touch 'docs/..;foo=bar/test/index.php'
$ ls 'docs/..;foo=bar/test/index.php'
'docs/..;foo=bar/test/index.php'
Correct the hardening is to prevent "tomcat customers mistake" that gets
unexpected contexts exposed. I am not able to get it working with you
proposal.
I don't think we should refuse anything in mod_proxy, either forward
or let it be handled elsewhere.
I disagree and think that some should be rejected ;-) but of course I am
using httpd to protect "a" back-end. That behaviour should NOT be the
default behavior (and yes mod_rewrite or mod_security are also there to
help).
Regards;
Yann.
--
Cheers
Jean-Frederic