[Pki-devel] [PATCH] 0055 Allow encoded slashes in HTTP paths
Fraser Tweedale
ftweedal at redhat.com
Thu Jan 21 03:39:36 UTC 2016
On Wed, Jan 20, 2016 at 09:58:23AM -0600, Endi Sukma Dewata wrote:
> On 1/19/2016 12:06 AM, Fraser Tweedale wrote:
> >Updated patch attached; comments inline.
> >
> >On Mon, Jan 11, 2016 at 01:11:24PM -0600, Endi Sukma Dewata wrote:
> >>On 11/4/2015 11:22 PM, Fraser Tweedale wrote:
> >>>The attached patch fixes GET-based OCSP requests,
> >>>https://fedorahosted.org/pki/ticket/1658
> >>>
> >>>Cheers,
> >>>Fraser
> >>
> >>Some comments:
> >>
> >>1. The ALLOW_ENCODED_SLASH parameter will fix the problem, but there's a
> >>security concern:
> >>
> >>http://tomcat.apache.org/tomcat-7.0-doc/security-howto.html
> >>
> >>The org.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH and
> >>org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH system properties
> >>allow non-standard parsing of the request URI. Using these options when
> >>behind a reverse proxy may enable an attacker to bypass any security
> >>constraints enforced by the proxy.
> >>
> >>However, since we are not dependent on a proxy to protect PKI pages in
> >>Tomcat (we have our own ACL in PKI) I suppose this is not an issue, unless
> >>anybody else has a concern.
> >>
> >I do not see a vulnerability - AFAICT the vulnerability was from
> >proxies enforcing path-based access control but parsed path
> >differently, which as you point out is not our situation. Hopefully
> >we are not overlooking something.
> >
> >>2. I think the catalina.properties that needs to be modified is in
> >>base/server/share/conf. The others are duplicates that should've been
> >>removed.
> >>
> >Patch updated. I'll send another patch removing the obsolete
> >catalina.properties files soon.
> >
> >>3. During deployment the catalina.properties is copied into <instance
> >>dir>/conf. So if we want to fix existing instances we need to write an
> >>upgrade script.
> >>
> >Added an upgrade script.
> >
> >Thanks for reviewing!
> >Fraser
> >
>
> ACK.
>
Thanks; pushed to master:
cbcdeddc2e794be3955edf20ea1597e58c443ba6 Allow encoded slashes in HTTP paths
More information about the Pki-devel
mailing list