Re: [Pki-devel] [PATCH] 0055 Allow encoded slashes in HTTP paths

Updated patch attached; comments inline. On Mon, Jan 11, 2016 at 01:11:24PM -0600, Endi Sukma Dewata wrote: > On 11/4/2015 11:22 PM, Fraser Tweedale wrote: >> The attached patch fixes GET-based OCSP requests, >> https://fedorahosted.org/pki/ticket/1658 >> >> Cheers, >> Fraser > > Some comments: > > 1. The ALLOW_ENCODED_SLASH parameter will fix the problem, but there's a > security concern: > > http://tomcat.apache.org/tomcat-7.0-doc/security-howto.html > > The org.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH and > org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH system properties > allow non-standard parsing of the request URI. Using these options when > behind a reverse proxy may enable an attacker to bypass any security > constraints enforced by the proxy. > > However, since we are not dependent on a proxy to protect PKI pages in > Tomcat (we have our own ACL in PKI) I suppose this is not an issue, unless > anybody else has a concern. > I do not see a vulnerability - AFAICT the vulnerability was from proxies enforcing path-based access control but parsed path differently, which as you point out is not our situation. Hopefully we are not overlooking something. > 2. I think the catalina.properties that needs to be modified is in > base/server/share/conf. The others are duplicates that should've been > removed. > Patch updated. I'll send another patch removing the obsolete catalina.properties files soon. > 3. During deployment the catalina.properties is copied into <instance > dir>/conf. So if we want to fix existing instances we need to write an > upgrade script. > Added an upgrade script. Thanks for reviewing! Fraser