Re: hardening mod_write and mod_proxy like mod_jk with servletnormalize

Mon, 22 Jun 2020 03:33:23 -0700 

On 22/06/2020 12:23, Yann Ylavic wrote:

On Mon, Jun 22, 2020 at 12:13 PM jean-frederic clere <jfcl...@gmail.com> wrote:




But there is still something I want to prevent:
ProxyPass  /docs ajp://localhost:8009/docs
and url like:
curl -v --path-as-is "http://localhost:8000/docs/..;food=bar/test/index.jsp";
How do we do that? Do we want a 400 for that? (my proposal do that :-)).


Why would we 400?
Either there is a mapping for /test[/] and we'll be OK, or there is
none we'll be DECLINED.


For the moment I am getting a 200 and the test/index.jsp from tomcat...


Hmm, do you mean that mod_proxy (alias_match_servlet) forwards
http://localhost:8000/test/index.php in this case, even if there is no
mapping for "/test" ??


Yes :D

Well tomcat maps "http://localhost:8080/docs/..;food=bar/test/index.jsp"; 
to http://localhost:8080/test/index.jsp which looks bad if you only map

ProxyPass  /docs ajp://localhost:8009/docs



In my testing it's not mapped, so it ends up being handled by the
default_handler() which returns 404.





The 400 will come only if no module handles the URI, and if the
default_handler() finds no "docs/..;food=bar/test/index.jsp" in the
path (where "..;foo=bar" is not considered a directory traversal in
this case).


ProxyPass  /docs ajp://localhost:8009/docs
being mapped as /test/index.jsp (by tomcat) when you
query"http://localhost:8000/docs/..;food=bar/test/index.jsp"; looks wrong
and should avoidable.



On my system, this runs smoothly:
$ mkdir -p 'docs/..;foo=bar/test'
$ touch 'docs/..;foo=bar/test/index.php'
$ ls 'docs/..;foo=bar/test/index.php'
'docs/..;foo=bar/test/index.php'



Correct the hardening is to prevent "tomcat customers mistake" that gets
unexpected contexts exposed. I am not able to get it working with you
proposal.


I don't think we should refuse anything in mod_proxy, either forward
or let it be handled elsewhere.



I disagree and think that some should be rejected ;-) but of course I am 
using httpd to protect "a" back-end. That behaviour should NOT be the 
default behavior (and yes mod_rewrite or mod_security are also there to 
help).








Regards;
Yann.



--
Cheers

Jean-Frederic



























					Reply via email to