[Pki-devel] [PATCH] 0055 Allow encoded slashes in HTTP paths

Endi Sukma Dewata edewata at redhat.com
Mon Jan 11 19:11:24 UTC 2016


On 11/4/2015 11:22 PM, Fraser Tweedale wrote:
> The attached patch fixes GET-based OCSP requests,
> https://fedorahosted.org/pki/ticket/1658
>
> Cheers,
> Fraser

Some comments:

1. The ALLOW_ENCODED_SLASH parameter will fix the problem, but there's a 
security concern:

http://tomcat.apache.org/tomcat-7.0-doc/security-howto.html

The org.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH and 
org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH system 
properties allow non-standard parsing of the request URI. Using these 
options when behind a reverse proxy may enable an attacker to bypass any 
security constraints enforced by the proxy.

However, since we are not dependent on a proxy to protect PKI pages in 
Tomcat (we have our own ACL in PKI) I suppose this is not an issue, 
unless anybody else has a concern.

2. I think the catalina.properties that needs to be modified is in 
base/server/share/conf. The others are duplicates that should've been 
removed.

3. During deployment the catalina.properties is copied into <instance 
dir>/conf. So if we want to fix existing instances we need to write an 
upgrade script.

-- 
Endi S. Dewata




More information about the Pki-devel mailing list