Uploaded image for project: 'OpenAM Agents'
  1. OpenAM Agents
  2. AMAGENTS-169

RFE: Don't depend on Apache's 'pathinfo'

    Details

      Description

      The Agent currently depends on Apache's PATH_INFO.
      http://httpd.apache.org/docs/2.2/mod/core.html#acceptpathinfo

      This is a long running source of issues.
      Workarounds for related problems often include the changing of these parameters:

      com.sun.identity.agents.config.ignore.path.info.for.not.enforced.list
      com.sun.identity.agents.config.ignore.path.info

      Despite limited understanding of what they do or what other issues this might lead to.

      #
      # IGNORE URL PATH
      #   When the not enforced list or policy has a wildcard '*' character, agent
      #   strips the path info from the request URI and uses the resulting request
      #   URI to check against the not enforced list or policy instead of the entire
      #   request URI, in order to prevent someone from getting access to any URI by
      #   simply appending the matching pattern in the policy or not enforced list.
      #   For example, if the not enforced list has the value http://host/*.gif,
      #   stripping the path info from the request URI will prevent someone from
      #   getting access to http://host/index.html by using the URL http://host/index.html?hack.gif.
      #   However when a web server (for exmample apache) is configured to be a reverse
      #   proxy server for a J2EE application server, path info is interpreted in a different
      #   manner since it maps to a resource on the proxy instead of the app server.
      #   This prevents the not enforced list or policy from being applied to part of
      #   the URI below the app serverpath if there is a wildcard character. For example,
      #   if the not enforced list has value  http://host/webapp/servcontext/* and the
      #   request URL is http://host/webapp/servcontext/example.jsp the path info
      #   is /servcontext/example.jsp and the resulting request URL with path info stripped
      #   is http://host/webapp, which will not match the not enforced list. By setting the
      #   following property to true, the path info will not be stripped from the request URL
      #   even if there is a wild character in the not enforced list or policy.
      #   Be aware though that if this is set to true there should be nothing following the
      #   wildcard character '*' in the not enforced list or policy, or the
      #   security loophole described above may occur.
      #
      # Hot-Swap Enabled: Yes
      #
      com.sun.identity.agents.config.ignore.path.info = false
      
      #
      # IGNORE PATH INFO FOR NOT ENFORCED URLS
      #   Boolean attribute to indicate whether the path info and query should
      #   be stripped from the the request URL before being compared with the URLs
      #   of the not enforced list when those URLs have a wildcard '*' character.
      #   For security reason this property should be set to true in order to avoid
      #   situation like the following one: if
      #   com.sun.identity.agents.config.notenforced.url[0] = http://host/*.gif
      #   someone can access http://host/index.html by using the request URL
      #   http://host/index.html/hack.gif.
      #
      #   Default value is true.
      #
      com.sun.identity.agents.config.ignore.path.info.for.not.enforced.list = true
      
      

      In addition there are issues related to encoding of pathinfo resulting in changes in behaviour from 3.3.0 to 3.3.4/4.x (see linked support case).

      Can the Agent be allowed to run in a way that means we can drop pathinfo altogether, at least for new installs? E.g. Use mod_proxy?

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                chris.lee Chris Lee
                Reporter:
                andrew.dunn Andrew Dunn [X] (Inactive)
                QA Assignee:
                edwardb
              • Votes:
                0 Vote for this issue
                Watchers:
                7 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: