Re: hardening mod_write and mod_proxy like mod_jk with servletnormalize

On 21/07/2020 06:51, William A Rowe Jr wrote: On Mon, Jul 20, 2020, 10:24 Ruediger Pluem > wrote: On 7/20/20 4:45 PM, Yann Ylavic wrote: > On Thu, Jul 16, 2020 at 10:31 PM Eric Covener mailto:cove...@gmail.com>> wrote: >> >> On Thu, Jul 16, 2020

Re: hardening mod_write and mod_proxy like mod_jk with servletnormalize

On Mon, Jul 20, 2020, 10:24 Ruediger Pluem wrote: > > > On 7/20/20 4:45 PM, Yann Ylavic wrote: > > On Thu, Jul 16, 2020 at 10:31 PM Eric Covener wrote: > >> > >> On Thu, Jul 16, 2020 at 3:31 PM Ruediger Pluem > wrote: > >>> > >>> > >>> > >>> On 6/24/20 1:27 PM, Eric Covener wrote: > > >

Re: hardening mod_write and mod_proxy like mod_jk with servletnormalize

On 7/20/20 4:45 PM, Yann Ylavic wrote: > On Thu, Jul 16, 2020 at 10:31 PM Eric Covener wrote: >> >> On Thu, Jul 16, 2020 at 3:31 PM Ruediger Pluem wrote: >>> >>> >>> >>> On 6/24/20 1:27 PM, Eric Covener wrote: > > ProxyMappingDecoded is not needed anymore (and was removed). > The

Re: hardening mod_write and mod_proxy like mod_jk with servletnormalize

On Thu, Jul 16, 2020 at 10:31 PM Eric Covener wrote: > > On Thu, Jul 16, 2020 at 3:31 PM Ruediger Pluem wrote: > > > > > > > > On 6/24/20 1:27 PM, Eric Covener wrote: > > >> > > >> ProxyMappingDecoded is not needed anymore (and was removed). > > >> The mapping= tells mod_proxy at which stage

Re: hardening mod_write and mod_proxy like mod_jk with servletnormalize

On Thu, Jul 16, 2020 at 3:31 PM Ruediger Pluem wrote: > > > > On 6/24/20 1:27 PM, Eric Covener wrote: > >> > >> ProxyMappingDecoded is not needed anymore (and was removed). > >> The mapping= tells mod_proxy at which stage ([pre_]translate) it > >> should map the request path. > > +1 > > > >

Re: hardening mod_write and mod_proxy like mod_jk with servletnormalize

On 6/24/20 1:27 PM, Eric Covener wrote: >> >> ProxyMappingDecoded is not needed anymore (and was removed). >> The mapping= tells mod_proxy at which stage ([pre_]translate) it >> should map the request path. > +1 > Getting back to an old topic. Shouldn't we have a directive similar to

Re: hardening mod_write and mod_proxy like mod_jk with servletnormalize

> > ProxyMappingDecoded is not needed anymore (and was removed). > The mapping= tells mod_proxy at which stage ([pre_]translate) it > should map the request path. +1

Re: hardening mod_write and mod_proxy like mod_jk with servletnormalize

On Mon, Jun 22, 2020 at 5:13 PM Yann Ylavic wrote: > > On Mon, Jun 22, 2020 at 5:04 PM jean-frederic clere wrote: > > > > Do we want: > > curl -v --path-as-is "http://localhost:8000/docs/..;food=bar/test/index.jsp; > > ProxyMappingDecoded Off > > > >ProxyPass ajp://localhost:8009/docs

Re: hardening mod_write and mod_proxy like mod_jk with servletnormalize

On Mon, Jun 22, 2020 at 5:04 PM jean-frederic clere wrote: > > On 22/06/2020 16:12, Yann Ylavic wrote: > > On Mon, Jun 22, 2020 at 2:44 PM Eric Covener wrote: > >> > >>> You need to set: > >>> ProxyMappingDecoded off > >>> in your vhost (or directory) for servlet mapping to be active, with

Re: hardening mod_write and mod_proxy like mod_jk with servletnormalize

On 22/06/2020 16:12, Yann Ylavic wrote: On Mon, Jun 22, 2020 at 2:44 PM Eric Covener wrote: You need to set: ProxyMappingDecoded off in your vhost (or directory) for servlet mapping to be active, with a Does it work in directory context? pre_trans is before location_walk. Argh no,

Re: hardening mod_write and mod_proxy like mod_jk with servletnormalize

On 22/06/2020 13:02, Yann Ylavic wrote: On Mon, Jun 22, 2020 at 12:33 PM jean-frederic clere wrote: On 22/06/2020 12:23, Yann Ylavic wrote: On Mon, Jun 22, 2020 at 12:13 PM jean-frederic clere wrote: But there is still something I want to prevent: ProxyPass /docs

Re: hardening mod_write and mod_proxy like mod_jk with servletnormalize

On Mon, Jun 22, 2020 at 2:44 PM Eric Covener wrote: > > > You need to set: > > ProxyMappingDecoded off > > in your vhost (or directory) for servlet mapping to be active, with a > > Does it work in directory context? pre_trans is before location_walk. Argh no, didn't think of it :/ For this

Re: hardening mod_write and mod_proxy like mod_jk with servletnormalize

> You need to set: > ProxyMappingDecoded off > in your vhost (or directory) for servlet mapping to be active, with a Does it work in directory context? pre_trans is before location_walk.

Re: hardening mod_write and mod_proxy like mod_jk with servletnormalize

On Mon, Jun 22, 2020 at 12:33 PM jean-frederic clere wrote: > > On 22/06/2020 12:23, Yann Ylavic wrote: > > On Mon, Jun 22, 2020 at 12:13 PM jean-frederic clere > > wrote: > >> > > But there is still something I want to prevent: > ProxyPass /docs ajp://localhost:8009/docs >

Re: hardening mod_write and mod_proxy like mod_jk with servletnormalize

On 22/06/2020 12:23, Yann Ylavic wrote: On Mon, Jun 22, 2020 at 12:13 PM jean-frederic clere wrote: But there is still something I want to prevent: ProxyPass /docs ajp://localhost:8009/docs and url like: curl -v --path-as-is "http://localhost:8000/docs/..;food=bar/test/index.jsp; How do we

Re: hardening mod_write and mod_proxy like mod_jk with servletnormalize

On Mon, Jun 22, 2020 at 12:13 PM jean-frederic clere wrote: > > >> > >> But there is still something I want to prevent: > >> ProxyPass /docs ajp://localhost:8009/docs > >> and url like: > >> curl -v --path-as-is > >> "http://localhost:8000/docs/..;food=bar/test/index.jsp; > >> How do we do

Re: hardening mod_write and mod_proxy like mod_jk with servletnormalize

On 22/06/2020 11:50, Yann Ylavic wrote: On Mon, Jun 22, 2020 at 11:20 AM jean-frederic clere wrote: On 19/06/2020 12:02, Yann Ylavic wrote: On Thu, Jun 18, 2020 at 6:37 PM jean-frederic clere wrote: ProxyMappingDecoded Off ProxyPass /test ajp://localhost:8009/test secret=%A1b2!@

Re: hardening mod_write and mod_proxy like mod_jk with servletnormalize

On Mon, Jun 22, 2020 at 11:20 AM jean-frederic clere wrote: > > On 19/06/2020 12:02, Yann Ylavic wrote: > > On Thu, Jun 18, 2020 at 6:37 PM jean-frederic clere > > wrote: > >> > >> ProxyMappingDecoded Off > >> ProxyPass /test ajp://localhost:8009/test secret=%A1b2!@ mapping=servlet > > [] >

Re: hardening mod_write and mod_proxy like mod_jk with servletnormalize

On 19/06/2020 12:02, Yann Ylavic wrote: On Thu, Jun 18, 2020 at 6:37 PM jean-frederic clere wrote: ProxyMappingDecoded Off ProxyPass /test ajp://localhost:8009/test secret=%A1b2!@ mapping=servlet [] what is going wrong with "http://localhost:8000/docs/..;food=bar/test;food=bar/index.jsp;

Re: hardening mod_write and mod_proxy like mod_jk with servletnormalize

On Thu, Jun 18, 2020 at 6:37 PM jean-frederic clere wrote: > > ProxyMappingDecoded Off > ProxyPass /test ajp://localhost:8009/test secret=%A1b2!@ mapping=servlet [] > what is going wrong with > "http://localhost:8000/docs/..;food=bar/test;food=bar/index.jsp; > same for "curl -v --path-as-is >

Re: hardening mod_write and mod_proxy like mod_jk with servletnormalize

On 17/06/2020 13:26, Yann Ylavic wrote: On Sat, Jun 13, 2020 at 11:18 AM jean-frederic clere wrote: On 11/06/2020 13:50, Yann Ylavic wrote: On Thu, Jun 11, 2020 at 1:22 PM Yann Ylavic wrote: On Thu, Jun 11, 2020 at 9:57 AM Yann Ylavic wrote: On Thu, Jun 11, 2020 at 9:50 AM Yann Ylavic

Re: hardening mod_write and mod_proxy like mod_jk with servletnormalize

On Sat, Jun 13, 2020 at 11:18 AM jean-frederic clere wrote: > > On 11/06/2020 13:50, Yann Ylavic wrote: > > On Thu, Jun 11, 2020 at 1:22 PM Yann Ylavic wrote: > >> > >> On Thu, Jun 11, 2020 at 9:57 AM Yann Ylavic wrote: > >>> > >>> On Thu, Jun 11, 2020 at 9:50 AM Yann Ylavic wrote: > >

Re: hardening mod_write and mod_proxy like mod_jk with servletnormalize

On 11/06/2020 13:50, Yann Ylavic wrote: On Thu, Jun 11, 2020 at 1:22 PM Yann Ylavic wrote: On Thu, Jun 11, 2020 at 9:57 AM Yann Ylavic wrote: On Thu, Jun 11, 2020 at 9:50 AM Yann Ylavic wrote: We need a way to forward non %-decoded URLs upto mod_proxy (reverse) if we want to normalize a

Re: hardening mod_write and mod_proxy like mod_jk with servletnormalize

On 6/11/20 9:50 AM, Yann Ylavic wrote: > On Thu, Jun 11, 2020 at 8:52 AM jean-frederic clere wrote: >> >> Should I commit my first proposal (it is easily backportable to 2.4.x) >> and later work on the next one? > > How about something like the attached patch? Looks good in general, but 1.

Re: hardening mod_write and mod_proxy like mod_jk with servletnormalize

On Thu, Jun 11, 2020 at 1:22 PM Yann Ylavic wrote: > > On Thu, Jun 11, 2020 at 9:57 AM Yann Ylavic wrote: > > > > On Thu, Jun 11, 2020 at 9:50 AM Yann Ylavic wrote: > > > > > > We need a way to forward non %-decoded URLs upto mod_proxy (reverse) > > > if we want to normalize a second time.. > >

Re: hardening mod_write and mod_proxy like mod_jk with servletnormalize

On Thu, Jun 11, 2020 at 9:57 AM Yann Ylavic wrote: > > On Thu, Jun 11, 2020 at 9:50 AM Yann Ylavic wrote: > > > > We need a way to forward non %-decoded URLs upto mod_proxy (reverse) > > if we want to normalize a second time.. > > IOW, this block in ap_process_request_internal(): [snip] > Should

Re: hardening mod_write and mod_proxy like mod_jk with servletnormalize

On 11/06/2020 07:51, jean-frederic clere wrote: > On 10/06/2020 11:53, Ruediger Pluem wrote: >> >> >> On 6/9/20 12:05 PM, jean-frederic clere wrote: >>> Hi, >>> >>> Basically it adds servletnormalizecheck to mod_proxy for >>> ProxyPass/ProxyPassMatch and mod_rewrite when using P >>> I have tested

Re: hardening mod_write and mod_proxy like mod_jk with servletnormalize

On Thu, Jun 11, 2020 at 9:50 AM Yann Ylavic wrote: > > We need a way to forward non %-decoded URLs upto mod_proxy (reverse) > if we want to normalize a second time.. IOW, this block in ap_process_request_internal(): /* Ignore URL unescaping for proxy requests */ if (!r->proxyreq &&

Re: hardening mod_write and mod_proxy like mod_jk with servletnormalize

On Thu, Jun 11, 2020 at 8:52 AM jean-frederic clere wrote: > > Should I commit my first proposal (it is easily backportable to 2.4.x) > and later work on the next one? How about something like the attached patch? It's a new single ap_normalize_path() helper with options (like

Re: hardening mod_write and mod_proxy like mod_jk with servletnormalize

On 10/06/2020 11:53, Ruediger Pluem wrote: On 6/9/20 12:05 PM, jean-frederic clere wrote: Hi, Basically it adds servletnormalizecheck to mod_proxy for ProxyPass/ProxyPassMatch and mod_rewrite when using P I have tested the following uses: #ProxyPass  /docs ajp://localhost:8009/docs

Re: hardening mod_write and mod_proxy like mod_jk with servletnormalize

On 6/9/20 12:05 PM, jean-frederic clere wrote: > Hi, > > Basically it adds servletnormalizecheck to mod_proxy for > ProxyPass/ProxyPassMatch and mod_rewrite when using P > I have tested the following uses: > #ProxyPass  /docs ajp://localhost:8009/docs secret=%A1b2!@ > servletnormalizecheck >

hardening mod_write and mod_proxy like mod_jk with servletnormalize

Hi, Basically it adds servletnormalizecheck to mod_proxy for ProxyPass/ProxyPassMatch and mod_rewrite when using P I have tested the following uses: #ProxyPass /docs ajp://localhost:8009/docs secret=%A1b2!@ servletnormalizecheck #ProxyPassMatch "^/docs(.*)$" "ajp://localhost:8009/docs$1"