Re: svn commit: r546531 - in /tomcat/connectors/trunk/jk/native: apache-1.3/mod_jk.c apache-2.0/mod_jk.c common/jk_global.h common/jk_url.c common/jk_url.h common/list.mk.in

[Rainer Jung]

Sorry for being offline for 2 weeks :(
Sorry for the long post coming :((

I just now read the URL rewriting discussion. Although the discussion 
seems to have come to an end, I find it worthwhile to actually add some 
structure to it:


1) How to forward the URL

I already suggested a different forwarding default in my discussion 3 
weeks ago. It was very close to what we ended up now and there are only 
minor points to decide upon.


Since Tomcat does an additional decoding we have to prevent double 
decoding in order to ensure correct URL mapping (independent of 
security; an encoded percent is legitimate and needs to be handled 
correctly as a percent at the end).


My original proposal included only reencoding percent signs (and maybe 
spaces), because all other URL characters will not get double decoded by 
Tomcat. If we don't trust this assumption, we could of course reencode a 
lot more characters, like mod_proxy does. There will be some performance 
penalty, because we could check pretty fast, if there are '%' or ' ' 
characters in the URL, and in case they are not, there's nothing to do 
in my proposal. mod_proxy has a far longer list of chars to reencode and 
so it doesn't do checking and instead runs the reencode loop directly.


The mod_proxy people have a good reason for encoding more characters: 
the same code gets used for http, ftp and ajp forwarding. We could be 
able to know, how the AJP connector works (do we?), so we could choose 
to not reencode for instance characters above 127.


But Remy made a good point: different components might have different 
decoding settings. I'm not sure, if this would apply to percent 
encoding, but it gives my thoughts a litle warning.


At the moment there exist the following implementations:

- Compat: forward the decoded URI, security issues

- CompatUnparsed: forward the original request URI, breaks mod_rewrite

- Proxy: Reencode using mod_proxy "full" reencoding (save for semicolon, 
i.e. URL session encoding), secure, adds some performance penalty


- Escaped: Reencode fully, safe but breaks URL encoded sessions,

- Minimal (the one I suggested): OK with mod_rewrite and sessions, a 
little faster than Proxy, but maybe open to not yet thought upon 
security threats, maybe also problematic if mod_jk and the backend use 
different character sets (I don't know if AJP URLs would be binary 
compatible for chars above 128 between mod_jk and the backend).


All in all I also vote for "Proxy" as the new default, maybe with a 
little optimization by first checking the URL, if there are actual 
characters from the reencoding set in there (in most cases there won't, 
and we don't need to copy character by character).


I strongly vote for leaving the old options in there for 1.2. Because 
for a long time default configurations had one of the old options as an 
explicit parameter in them (so they are not using the default), we 
should add a warning on startup, that the option is deprecated and 
removing it will most likely make the configuration safer and more 
interoperable with different environments. I would still allow using it.



2) Mladen's patch

The core idea of Mladen's patch was to check the URL against a known 
classical way of breaking the combination mod_jk and Tomcat. Even after 
fixing this breakage by re-encoding the URL before forwarding, I find it 
worth of thinking about his patch.


Apache httpd for instance has a parameter to *allow* URLs with encoded 
slashes  which is by default *off*:


AllowEncodedSlashes Off

This disables some suspicious URLs stopps many of the standard break in 
attempts.


So at least I see some reason for options to make the combination more 
sensible to evil URLs. Encoded slashes as well as encoded backslashes or 
encoded percent signs might be good candidates.


Since those URL parts can have legitimate use, those can only be 
options, and one can discuss, if the default should be on or off. They 
will help to harden the security.


Since mod_jk is for multiple web servers and maybe backends, there is 
some reason to actually implement those checks, even if some 
combinations might do it in front or behind mod_jk.


I would propose a check for encoded slashes, backslashes and encoded 
percent signs, combined in one option "DenyUnsafeURL", which in 1.2 will 
be off by default. Room for discussion here!



3) IIS, Netscape

We need to investigate, how we forward from IIS and Netscape. For IIS, 
Mladen will know. Netscape uses decoded URL like Apache, so we'll switch 
to the same handling as the new default in Apache.


Regards,

Rainer


Remy Maucherat wrote:

Mladen Turk wrote:

That's why I suggested to stop for a while and see all the possibilities.


We've talked about it for a while (see the length of this thread ...), 
and I consider it is time to think over code: apply the proposed patch 
which aims to harmonize with mod_proxy, and see what actual problems it 
causes, if any. This means I am vetoing r54413

Re: svn commit: r546531 - in /tomcat/connectors/trunk/jk/native: apache-1.3/mod_jk.c apache-2.0/mod_jk.c common/jk_global.h common/jk_url.c common/jk_url.h common/list.mk.in

[Remy Maucherat]

Mladen Turk wrote:

That's why I suggested to stop for a while and see all the possibilities.


We've talked about it for a while (see the length of this thread ...), 
and I consider it is time to think over code: apply the proposed patch 
which aims to harmonize with mod_proxy, and see what actual problems it 
causes, if any. This means I am vetoing r544137 (the patch was an 
emergency fix with some side effects, and needs to be replaced with a 
proper implementation).


Rémy

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: svn commit: r546531 - in /tomcat/connectors/trunk/jk/native: apache-1.3/mod_jk.c apache-2.0/mod_jk.c common/jk_global.h common/jk_url.c common/jk_url.h common/list.mk.in

[Mladen Turk]

Remy Maucherat wrote:

Mladen Turk wrote:

Why?
Let's stop a bit and test things before.


Jean-Frédéric proposes implementing the same behavior as mod_proxy, so I
don't see how this can be a bad thing.


First of all I didn't said it's a bad thing or anything like that.
We need the same behavior on Apache and IIS (at least), so this patch
needs to be tested on IIS and Netscape as well.
Also I think we should consider and discuss do we really need
extra directive or it can be done by using existing or default.

That's why I suggested to stop for a while and see all the possibilities.

Regards,
Mladen.


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: svn commit: r546531 - in /tomcat/connectors/trunk/jk/native: apache-1.3/mod_jk.c apache-2.0/mod_jk.c common/jk_global.h common/jk_url.c common/jk_url.h common/list.mk.in

[Remy Maucherat]

Mladen Turk wrote:

Why?
Let's stop a bit and test things before.


Jean-Frédéric has of course done extended testing before proposing this 
:) The original patch was meant to close the "security problem" as soon 
as possible, but in the end has a bad behavior and should be reverted. 
Jean-Frédéric proposes implementing the same behavior as mod_proxy, so I 
don't see how this can be a bad thing.


Rémy

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: svn commit: r546531 - in /tomcat/connectors/trunk/jk/native: apache-1.3/mod_jk.c apache-2.0/mod_jk.c common/jk_global.h common/jk_url.c common/jk_url.h common/list.mk.in

[Jean-Frederic]

On Tue, 2007-06-12 at 19:50 +0200, Mladen Turk wrote:
> Jean-Frederic wrote:
>  >>> Add ForwardURIProxy to the URl handling option.
>  >>> common/jk_url.c is just a porting of the routines
>  >>> from proxy_util.c (Apache httpd).
>  >> After quite a few discussions, I think this should be the only mode 
> available for URI handling, as the two others are broken.
>  >>
>  >> Comments ?
>  >
>  > Additionaly I want to rollback r544137 too.
>  >
> 
> Why?

To reach the following:
url   file/dir TC Compat Proxy Proxy-r544137
%252007%2007   ok no okok
%252E%252E %2E%2E  ok no nook

Of course using Compat-r544137 would reopen the vulnerability.

Cheers

Jean-Frederic


> Let's stop a bit and test things before.
> 
> Regards,
> Mladen.
> 
> 
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> 


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: svn commit: r546531 - in /tomcat/connectors/trunk/jk/native: apache-1.3/mod_jk.c apache-2.0/mod_jk.c common/jk_global.h common/jk_url.c common/jk_url.h common/list.mk.in

[Mark Thomas]

Mladen Turk wrote:
> Jean-Frederic wrote:
 Add ForwardURIProxy to the URl handling option.
 common/jk_url.c is just a porting of the routines
 from proxy_util.c (Apache httpd).
>>> After quite a few discussions, I think this should be the only mode
> available for URI handling, as the two others are broken.

I was coming to the same conclusion but want to test some more first
before +1'ing this idea

> Let's stop a bit and test things before.

+1. Now all I need is some time... ;)

Mark


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: svn commit: r546531 - in /tomcat/connectors/trunk/jk/native: apache-1.3/mod_jk.c apache-2.0/mod_jk.c common/jk_global.h common/jk_url.c common/jk_url.h common/list.mk.in

[Mladen Turk]

Jean-Frederic wrote:
>>> Add ForwardURIProxy to the URl handling option.
>>> common/jk_url.c is just a porting of the routines
>>> from proxy_util.c (Apache httpd).
>> After quite a few discussions, I think this should be the only mode 
available for URI handling, as the two others are broken.
>>
>> Comments ?
>
> Additionaly I want to rollback r544137 too.
>

Why?
Let's stop a bit and test things before.

Regards,
Mladen.


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: svn commit: r546531 - in /tomcat/connectors/trunk/jk/native: apache-1.3/mod_jk.c apache-2.0/mod_jk.c common/jk_global.h common/jk_url.c common/jk_url.h common/list.mk.in

[Jean-Frederic]

On Tue, 2007-06-12 at 17:50 +0200, Remy Maucherat wrote:
> [EMAIL PROTECTED] wrote:
> > Author: jfclere
> > Date: Tue Jun 12 08:32:10 2007
> > New Revision: 546531
> > 
> > URL: http://svn.apache.org/viewvc?view=rev&rev=546531
> > Log:
> > Add ForwardURIProxy to the URl handling option.
> > common/jk_url.c is just a porting of the routines
> > from proxy_util.c (Apache httpd).
> 
> After quite a few discussions, I think this should be the only mode 
> available for URI handling, as the two others are broken.
> 
> Comments ?

Additionaly I want to rollback r544137 too.

Cheers

Jean-Frederic

> 
> Rémy
> 
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> 


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: svn commit: r546531 - in /tomcat/connectors/trunk/jk/native: apache-1.3/mod_jk.c apache-2.0/mod_jk.c common/jk_global.h common/jk_url.c common/jk_url.h common/list.mk.in

[Remy Maucherat]

[EMAIL PROTECTED] wrote:

Author: jfclere
Date: Tue Jun 12 08:32:10 2007
New Revision: 546531

URL: http://svn.apache.org/viewvc?view=rev&rev=546531
Log:
Add ForwardURIProxy to the URl handling option.
common/jk_url.c is just a porting of the routines
from proxy_util.c (Apache httpd).


After quite a few discussions, I think this should be the only mode 
available for URI handling, as the two others are broken.


Comments ?

Rémy

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

svn commit: r546531 - in /tomcat/connectors/trunk/jk/native: apache-1.3/mod_jk.c apache-2.0/mod_jk.c common/jk_global.h common/jk_url.c common/jk_url.h common/list.mk.in

[jfclere]

Author: jfclere
Date: Tue Jun 12 08:32:10 2007
New Revision: 546531

URL: http://svn.apache.org/viewvc?view=rev&rev=546531
Log:
Add ForwardURIProxy to the URl handling option.
common/jk_url.c is just a porting of the routines
from proxy_util.c (Apache httpd).

Added:
tomcat/connectors/trunk/jk/native/common/jk_url.c
tomcat/connectors/trunk/jk/native/common/jk_url.h
Modified:
tomcat/connectors/trunk/jk/native/apache-1.3/mod_jk.c
tomcat/connectors/trunk/jk/native/apache-2.0/mod_jk.c
tomcat/connectors/trunk/jk/native/common/jk_global.h
tomcat/connectors/trunk/jk/native/common/list.mk.in

Modified: tomcat/connectors/trunk/jk/native/apache-1.3/mod_jk.c
URL: 
http://svn.apache.org/viewvc/tomcat/connectors/trunk/jk/native/apache-1.3/mod_jk.c?view=diff&rev=546531&r1=546530&r2=546531
==
--- tomcat/connectors/trunk/jk/native/apache-1.3/mod_jk.c (original)
+++ tomcat/connectors/trunk/jk/native/apache-1.3/mod_jk.c Tue Jun 12 08:32:10 
2007
@@ -60,6 +60,7 @@
 #include "jk_uri_worker_map.h"
 #include "jk_ajp13.h"
 #include "jk_shm.h"
+#include "jk_url.h"
 
 #define JK_LOG_DEF_FILE ("logs/mod_jk.log")
 #define JK_SHM_DEF_FILE ("logs/jk-runtime-status")
@@ -519,6 +520,7 @@
 request_rec *r = private_data->r;
 char *ssl_temp = NULL;
 s->route = NULL;/* Used for sticky session routing */
+int size;
 
 /* Copy in function pointers (which are really methods) */
 s->start_response = ws_start_response;
@@ -627,6 +629,13 @@
 s->req_uri = r->uri;
 break;
 
+case JK_OPT_FWDURIPROXY:
+size = strlen(r->uri);
+s->req_uri = ap_palloc(r->pool, size * 3 + 1);
+jk_canonenc(s->req_uri, r->uri, size, enc_path, 0,
+JK_PROXYREQ_REVERSE);
+break;
+
 case JK_OPT_FWDURIESCAPED:
 s->req_uri = ap_escape_uri(r->pool, r->uri);
 break;
@@ -1725,6 +1734,10 @@
 }
 else if (!strcasecmp(w, "ForwardURIEscaped")) {
 opt = JK_OPT_FWDURIESCAPED;
+mask = JK_OPT_FWDURIMASK;
+}
+else if (!strcasecmp(w, "ForwardURIProxy")) {
+opt = JK_OPT_FWDURIPROXY;
 mask = JK_OPT_FWDURIMASK;
 }
 else if (!strcasecmp(w, "ForwardDirectories")) {

Modified: tomcat/connectors/trunk/jk/native/apache-2.0/mod_jk.c
URL: 
http://svn.apache.org/viewvc/tomcat/connectors/trunk/jk/native/apache-2.0/mod_jk.c?view=diff&rev=546531&r1=546530&r2=546531
==
--- tomcat/connectors/trunk/jk/native/apache-2.0/mod_jk.c (original)
+++ tomcat/connectors/trunk/jk/native/apache-2.0/mod_jk.c Tue Jun 12 08:32:10 
2007
@@ -102,6 +102,7 @@
 #include "jk_util.h"
 #include "jk_worker.h"
 #include "jk_shm.h"
+#include "jk_url.h"
 
 #define JK_LOG_DEF_FILE ("logs/mod_jk.log")
 #define JK_SHM_DEF_FILE ("logs/jk-runtime-status")
@@ -539,6 +540,7 @@
 request_rec *r = private_data->r;
 
 char *ssl_temp = NULL;
+int size;
 s->route = NULL;/* Used for sticky session routing */
 
 /* Copy in function pointers (which are really methods) */
@@ -655,6 +657,13 @@
 s->req_uri = r->uri;
 break;
 
+case JK_OPT_FWDURIPROXY:
+size = strlen(r->uri);
+s->req_uri = apr_palloc(r->pool, size * 3 + 1);
+jk_canonenc(s->req_uri, r->uri, size, enc_path, 0, 
+JK_PROXYREQ_REVERSE);
+break;
+
 case JK_OPT_FWDURIESCAPED:
 s->req_uri = ap_escape_uri(r->pool, r->uri);
 break;
@@ -1758,6 +1767,10 @@
 }
 else if (!strcasecmp(w, "ForwardURIEscaped")) {
 opt = JK_OPT_FWDURIESCAPED;
+mask = JK_OPT_FWDURIMASK;
+}
+else if (!strcasecmp(w, "ForwardURIProxy")) {
+opt = JK_OPT_FWDURIPROXY;
 mask = JK_OPT_FWDURIMASK;
 }
 else if (!strcasecmp(w, "ForwardDirectories")) {

Modified: tomcat/connectors/trunk/jk/native/common/jk_global.h
URL: 
http://svn.apache.org/viewvc/tomcat/connectors/trunk/jk/native/common/jk_global.h?view=diff&rev=546531&r1=546530&r2=546531
==
--- tomcat/connectors/trunk/jk/native/common/jk_global.h (original)
+++ tomcat/connectors/trunk/jk/native/common/jk_global.h Tue Jun 12 08:32:10 
2007
@@ -228,15 +228,16 @@
  * JK options
  */
 
-#define JK_OPT_FWDURIMASK   0x0003
+#define JK_OPT_FWDURIMASK   0x0007
 
 #define JK_OPT_FWDURICOMPAT 0x0001
 #define JK_OPT_FWDURICOMPATUNPARSED 0x0002
 #define JK_OPT_FWDURIESCAPED0x0003
+#define JK_OPT_FWDURIPROXY  0x0004
 
-#define JK_OPT_FWDURIDEFAULTJK_OPT_FWDURICOMPAT
+#define JK_OPT_FWDURIDEFAULTJK_OPT_FWDURIPROXY
 
-#define JK_OPT_FWDKEYSIZE   0x0004
+#define JK_OPT_FWDKEYSIZE   0x0200
 
 #define JK_OPT