[Pki-devel] [PATCH] 0055 Allow encoded slashes in HTTP paths
Endi Sukma Dewata
edewata at redhat.com
Wed Jan 20 15:58:23 UTC 2016
On 1/19/2016 12:06 AM, Fraser Tweedale wrote:
> Updated patch attached; comments inline.
>
> On Mon, Jan 11, 2016 at 01:11:24PM -0600, Endi Sukma Dewata wrote:
>> On 11/4/2015 11:22 PM, Fraser Tweedale wrote:
>>> The attached patch fixes GET-based OCSP requests,
>>> https://fedorahosted.org/pki/ticket/1658
>>>
>>> Cheers,
>>> Fraser
>>
>> Some comments:
>>
>> 1. The ALLOW_ENCODED_SLASH parameter will fix the problem, but there's a
>> security concern:
>>
>> http://tomcat.apache.org/tomcat-7.0-doc/security-howto.html
>>
>> The org.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH and
>> org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH system properties
>> allow non-standard parsing of the request URI. Using these options when
>> behind a reverse proxy may enable an attacker to bypass any security
>> constraints enforced by the proxy.
>>
>> However, since we are not dependent on a proxy to protect PKI pages in
>> Tomcat (we have our own ACL in PKI) I suppose this is not an issue, unless
>> anybody else has a concern.
>>
> I do not see a vulnerability - AFAICT the vulnerability was from
> proxies enforcing path-based access control but parsed path
> differently, which as you point out is not our situation. Hopefully
> we are not overlooking something.
>
>> 2. I think the catalina.properties that needs to be modified is in
>> base/server/share/conf. The others are duplicates that should've been
>> removed.
>>
> Patch updated. I'll send another patch removing the obsolete
> catalina.properties files soon.
>
>> 3. During deployment the catalina.properties is copied into <instance
>> dir>/conf. So if we want to fix existing instances we need to write an
>> upgrade script.
>>
> Added an upgrade script.
>
> Thanks for reviewing!
> Fraser
>
ACK.
--
Endi S. Dewata
More information about the Pki-devel
mailing list