amyroh 2003/02/10 18:27:15
Modified: webapps/admin build.xml
webapps/admin/WEB-INF/classes/org/apache/webapp/admin
ApplicationResources_en.properties
ApplicationResources_es.properties
webapps/admin/WEB-INF/classes/org/apache/webapp/admin/valve
RemoteAddrValveForm.java RemoteHostValveForm.java
ValveUtil.java
Log:
Add validation for RemoteAddrValve and RemoteHostValve to prevent
installing a filter that prevents the admin's own access.
Revision Changes Path
1.5 +8 -1 jakarta-tomcat-4.0/webapps/admin/build.xml
Index: build.xml
===================================================================
RCS file: /home/cvs/jakarta-tomcat-4.0/webapps/admin/build.xml,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
--- build.xml 16 Aug 2002 22:24:06 -0000 1.4
+++ build.xml 11 Feb 2003 02:27:15 -0000 1.5
@@ -20,6 +20,7 @@
<path id="admin.classpath">
<pathelement location="${commons-modeler.jar}"/>
<pathelement location="${jmx.jar}"/>
+ <pathelement location="${regexp.jar}"/>
<pathelement location="${servlet.jar}"/>
<pathelement location="${struts.jar}"/>
<pathelement location="${commons-beanutils.jar}"/>
@@ -55,6 +56,9 @@
<available property="modeler.present"
classname="org.apache.commons.modeler.Registry"
classpath="${commons-modeler.jar}"/>
+ <available property="regexp.present"
+ classname="org.apache.regexp.RE"
+ classpath="${regexp.jar}" />
<available property="servlet.present"
classname="javax.servlet.Servlet"
classpath="${servlet.jar}" />
@@ -69,6 +73,7 @@
<!-- JAR files availability flags -->
<available property="jmx.jar.present" file="${jmx.jar}" />
<available property="modeler.jar.present" file="${commons-modeler.jar}" />
+ <available property="regexp.jar.present" file="${regexp.jar}" />
<available property="servlet.jar.present" file="${servlet.jar}" />
<available property="struts.jar.present" file="${struts.jar}" />
<available property="beanutils.jar.present" file="${commons-beanutils.jar}" />
@@ -82,6 +87,7 @@
<equals arg1="${struts.present}" arg2="true" />
<equals arg1="${jmx.present}" arg2="true" />
<equals arg1="${modeler.present}" arg2="true" />
+ <equals arg1="${regexp.present}" arg2="true" />
<available file="${struts.lib}/struts-bean.tld" />
<available file="${struts.lib}/struts-html.tld" />
<available file="${struts.lib}/struts-logic.tld" />
@@ -126,11 +132,13 @@
<echo message="jaxp.present=${jaxp.present}" />
<echo message="jmx.present=${jmx.present}" />
<echo message="modeler.present=${modeler.present}" />
+ <echo message="regexp.present=${regexp.present}" />
<echo message="servlet.present=${servlet.present}" />
<echo message="--- Required JARs ---" />
<echo message="jmx.jar.present=${jmx.jar.present}" />
<echo message="modeler.jar.present=${modeler.jar.present}" />
+ <echo message="regexp.jar.present=${regexp.jar.present}" />
<echo message="servlet.jar.present=${servlet.jar.present}" />
<echo message="struts.jar.present=${struts.jar.present}" />
<echo message="beanutils.jar.present=${beanutils.jar.present}" />
@@ -154,7 +162,6 @@
<copy todir="${webapps.build}/${webapp.name}/WEB-INF"
file="${struts.lib}/struts-html.tld"/>
<copy todir="${webapps.build}/${webapp.name}/WEB-INF"
file="${struts.lib}/struts-logic.tld"/>
</target>
-
<!-- =================== BUILD: Create Directories ====================== -->
<target name="build-prepare">
1.73 +6 -0
jakarta-tomcat-4.0/webapps/admin/WEB-INF/classes/org/apache/webapp/admin/ApplicationResources_en.properties
Index: ApplicationResources_en.properties
===================================================================
RCS file:
/home/cvs/jakarta-tomcat-4.0/webapps/admin/WEB-INF/classes/org/apache/webapp/admin/ApplicationResources_en.properties,v
retrieving revision 1.72
retrieving revision 1.73
diff -u -r1.72 -r1.73
--- ApplicationResources_en.properties 10 Dec 2002 20:41:47 -0000 1.72
+++ ApplicationResources_en.properties 11 Feb 2003 02:27:15 -0000 1.73
@@ -251,6 +251,12 @@
valve.denyHosts=Deny these Hosts
valve.allowIPs=Allow IP addresses
valve.denyIPs=Deny IP addresses
+error.allowHost=<li>Allow is invalid. Need to include the admin's Hostname.</li>
+error.denyHost=<li>Deny is invalid. Need to exclude the admin's Hostname.</li>
+error.allowIP=<li>Allow is invalid. Need to include the admin's IP address.</li>
+error.denyIP=<li>Deny is invalid. Need to exclude the admin's IP address.</li>
+error.allow.deny.required=<li>Allow or deny is required.</li>
+error.syntax=<li>Syntax error in request filter pattern.</li>
error.resource.required=<li>Resource Name is required.</li>
error.resource.javaprefix=<li>Resource must have "java:" prefix.</li>
error.pathName.required=<li>Path Name is required.</li>
1.62 +6 -0
jakarta-tomcat-4.0/webapps/admin/WEB-INF/classes/org/apache/webapp/admin/ApplicationResources_es.properties
Index: ApplicationResources_es.properties
===================================================================
RCS file:
/home/cvs/jakarta-tomcat-4.0/webapps/admin/WEB-INF/classes/org/apache/webapp/admin/ApplicationResources_es.properties,v
retrieving revision 1.61
retrieving revision 1.62
diff -u -r1.61 -r1.62
--- ApplicationResources_es.properties 10 Dec 2002 20:41:47 -0000 1.61
+++ ApplicationResources_es.properties 11 Feb 2003 02:27:15 -0000 1.62
@@ -250,6 +250,12 @@
valve.denyHosts=Niegue estos Hosts
valve.allowIPs=Permitir estas direcciones IP
valve.denyIPs=Rechazar estas direcciones IP
+error.allowHost=<li>Permita es inválido. Necesidad de incluir el hostname del
admin.</li>
+error.denyHost=<li>Niegue es inválido. Necesidad de excluir el hostname del
admin.</li>
+error.allowIP=<li>Permita es inválido. Necesidad de incluir el IP ADDRESS del
admin.</li>
+error.denyIP=<li>Niegue es inválido. Necesidad de excluir el IP ADDRESS del
admin.</li>
+error.allow.deny.required=<li>Permita o niegue se requiere.</li>
+error.syntax=<li>Error del sintaxis en patrón del filtro de la petición.</li>
error.resource.required=<li>Se requiere el nombre del recurso.</li>
error.resource.javaprefix=<li>El recurso debe tener prefijo de "java:"</li>
error.pathName.required=<li>Se requiere el nombre del path.</li>
1.3 +82 -10
jakarta-tomcat-4.0/webapps/admin/WEB-INF/classes/org/apache/webapp/admin/valve/RemoteAddrValveForm.java
Index: RemoteAddrValveForm.java
===================================================================
RCS file:
/home/cvs/jakarta-tomcat-4.0/webapps/admin/WEB-INF/classes/org/apache/webapp/admin/valve/RemoteAddrValveForm.java,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- RemoteAddrValveForm.java 11 Apr 2002 07:42:04 -0000 1.2
+++ RemoteAddrValveForm.java 11 Feb 2003 02:27:15 -0000 1.3
@@ -61,13 +61,16 @@
package org.apache.webapp.admin.valve;
+import java.lang.IllegalArgumentException;
+import java.net.InetAddress;
+import java.util.List;
import javax.servlet.http.HttpServletRequest;
+import org.apache.regexp.RE;
import org.apache.struts.action.ActionError;
import org.apache.struts.action.ActionErrors;
import org.apache.struts.action.ActionForm;
import org.apache.struts.action.ActionMapping;
-import java.net.InetAddress;
-import java.util.List;
+
import org.apache.webapp.admin.ApplicationServlet;
import org.apache.webapp.admin.LabelValueBean;
@@ -83,6 +86,7 @@
// ----------------------------------------------------- Instance Variables
+
/**
* The text for the allow IP addresses.
* A comma-separated list of regular expression patterns
@@ -94,6 +98,17 @@
* The text for the deny IP addresses.
*/
private String deny = "";
+
+ /**
+ * The set of <code>allow</code> regular expressions we will evaluate.
+ */
+ private RE allows[] = new RE[0];
+
+ /**
+ * The set of <code>deny</code> regular expressions we will evaluate.
+ */
+ private RE denies[] = new RE[0];
+
// ------------------------------------------------------------- Properties
@@ -135,6 +150,7 @@
// --------------------------------------------------------- Public Methods
+
/**
* Reset all properties to their default values.
*
@@ -146,6 +162,8 @@
super.reset(mapping, request);
this.allow = null;
this.deny = null;
+ this.allows = null;
+ this.denies = null;
}
@@ -188,10 +206,64 @@
String submit = request.getParameter("submit");
// front end validation when save is clicked.
- if (submit != null) {
- // validate allow/deny patterns?
- }
-
+ if (submit != null) {
+ // validate allow/deny patterns
+ if ((allow == null) || (allow.length() < 1)) {
+ if ((deny == null) || (deny.length() < 1)) {
+ errors.add("allow",
+ new ActionError("error.allow.deny.required"));
+ }
+ }
+ }
+
+ try {
+ allows = ValveUtil.precalculate(allow);
+ } catch (IllegalArgumentException e) {
+ errors.add("allow", new ActionError("error.syntax"));
+ return errors;
+ }
+
+ try {
+ denies = ValveUtil.precalculate(deny);
+ } catch (IllegalArgumentException e) {
+ errors.add("allow", new ActionError("error.syntax"));
+ return errors;
+ }
+
+ String ip = request.getRemoteAddr();
+
+ if (ip == null) {
+ return errors;
+ }
+
+ for (int i = 0; i < denies.length; i++) {
+ if (denies[i].match("127.0.0.1")) {
+ errors.add("deny",
+ new ActionError("error.denyIP"));
+ }
+ if (denies[i].match(ip)) {
+ for (int j = 0; j < allows.length; j++) {
+ if (!allows[j].match(ip)) {
+ errors.add("deny",
+ new ActionError("error.denyIP"));
+ }
+ }
+ }
+ }
+
+ boolean allowMatch = true;
+ if (allows.length > 0) {
+ allowMatch = false;
+ }
+ for (int i = 0; i < allows.length; i++) {
+ if (allows[i].match(ip)) {
+ allowMatch = true;
+ }
+ }
+ if (!allowMatch) {
+ errors.add("allow", new ActionError("error.allowIP"));
+ }
+
return errors;
}
}
1.3 +94 -8
jakarta-tomcat-4.0/webapps/admin/WEB-INF/classes/org/apache/webapp/admin/valve/RemoteHostValveForm.java
Index: RemoteHostValveForm.java
===================================================================
RCS file:
/home/cvs/jakarta-tomcat-4.0/webapps/admin/WEB-INF/classes/org/apache/webapp/admin/valve/RemoteHostValveForm.java,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- RemoteHostValveForm.java 11 Apr 2002 14:16:16 -0000 1.2
+++ RemoteHostValveForm.java 11 Feb 2003 02:27:15 -0000 1.3
@@ -61,13 +61,16 @@
package org.apache.webapp.admin.valve;
+import java.lang.IllegalArgumentException;
+import java.net.InetAddress;
+import java.util.List;
import javax.servlet.http.HttpServletRequest;
+
+import org.apache.regexp.RE;
import org.apache.struts.action.ActionError;
import org.apache.struts.action.ActionErrors;
import org.apache.struts.action.ActionForm;
import org.apache.struts.action.ActionMapping;
-import java.net.InetAddress;
-import java.util.List;
import org.apache.webapp.admin.ApplicationServlet;
import org.apache.webapp.admin.LabelValueBean;
@@ -83,6 +86,7 @@
// ----------------------------------------------------- Instance Variables
+
/**
* The text for the allow hosts IP addresses.
* A comma-separated list of regular expression patterns
@@ -95,6 +99,17 @@
*/
private String deny = "";
+ /**
+ * The set of <code>allow</code> regular expressions we will evaluate.
+ */
+ private RE allows[] = new RE[0];
+
+ /**
+ * The set of <code>deny</code> regular expressions we will evaluate.
+ */
+ private RE denies[] = new RE[0];
+
+
// ------------------------------------------------------------- Properties
/**
@@ -146,6 +161,8 @@
super.reset(mapping, request);
this.allow = null;
this.deny = null;
+ this.allows = null;
+ this.denies = null;
}
@@ -188,10 +205,79 @@
String submit = request.getParameter("submit");
// front end validation when save is clicked.
- if (submit != null) {
+ if (submit != null) {
// TBD
// validate allow/deny IPs
- }
+ if ((allow == null) || (allow.length() < 1)) {
+ if ((deny == null) || (deny.length() < 1)) {
+ errors.add("allow",
+ new ActionError("error.allow.deny.required"));
+ }
+ }
+ }
+
+ try {
+ allows = ValveUtil.precalculate(allow);
+ } catch (IllegalArgumentException e) {
+ errors.add("allow", new ActionError("error.syntax"));
+ return errors;
+ }
+
+ try {
+ denies = ValveUtil.precalculate(deny);
+ } catch (IllegalArgumentException e) {
+ errors.add("allow", new ActionError("error.syntax"));
+ return errors;
+ }
+
+ String host = request.getRemoteHost();
+ // check for IP address also in case DNS is not configured
+ // to give a host name for the client machine
+ String ip = request.getRemoteAddr();
+
+ if (host == null) {
+ return errors;
+ }
+
+ for (int i = 0; i < denies.length; i++) {
+ if (denies[i].match("localhost") ||
+ denies[i].match("127.0.0.1")) {
+ errors.add("deny",
+ new ActionError("error.denyHost"));
+ }
+ if (denies[i].match(host)) {
+ for (int j = 0; j < allows.length; j++) {
+ if (!allows[j].match(host)) {
+ errors.add("deny",
+ new ActionError("error.denyHost"));
+ }
+ }
+ } else if (denies[i].match(ip)) {
+ for (int j = 0; j < allows.length; j++) {
+ if (!allows[j].match(ip)) {
+ errors.add("deny",
+ new ActionError("error.denyHost"));
+ }
+ }
+ }
+ }
+
+ boolean allowMatch = true;
+
+ if ((allows != null) && (allows.length > 0)) {
+ allowMatch = false;
+ }
+
+ for (int i = 0; i < allows.length; i++) {
+ if (allows[i].match(host)) {
+ allowMatch = true;
+ }
+ }
+
+ if (!allowMatch) {
+ errors.add("allow", new ActionError("error.allowHost"));
+ }
+
return errors;
}
1.9 +49 -4
jakarta-tomcat-4.0/webapps/admin/WEB-INF/classes/org/apache/webapp/admin/valve/ValveUtil.java
Index: ValveUtil.java
===================================================================
RCS file:
/home/cvs/jakarta-tomcat-4.0/webapps/admin/WEB-INF/classes/org/apache/webapp/admin/valve/ValveUtil.java,v
retrieving revision 1.8
retrieving revision 1.9
diff -u -r1.8 -r1.9
--- ValveUtil.java 10 Feb 2003 04:25:26 -0000 1.8
+++ ValveUtil.java 11 Feb 2003 02:27:15 -0000 1.9
@@ -62,6 +62,7 @@
package org.apache.webapp.admin.valve;
import java.net.URLEncoder;
+import java.util.ArrayList;
import java.util.Iterator;
import java.util.Locale;
import java.io.IOException;
@@ -77,6 +78,8 @@
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
+import org.apache.regexp.RE;
+import org.apache.regexp.RESyntaxException;
import org.apache.struts.action.Action;
import org.apache.struts.action.ActionError;
import org.apache.struts.action.ActionErrors;
@@ -238,4 +241,46 @@
session.removeAttribute(mapping.getAttribute());
return vObjectName;
}
+
+
+ /**
+ * Return an array of regular expression objects initialized from the
+ * specified argument, which must be <code>null</code> or a comma-delimited
+ * list of regular expression patterns.
+ *
+ * @param list The comma-separated list of patterns
+ *
+ * @exception IllegalArgumentException if one of the patterns has
+ * invalid syntax
+ */
+ public static RE[] precalculate(String list)
+ throws IllegalArgumentException {
+
+ if (list == null)
+ return (new RE[0]);
+ list = list.trim();
+ if (list.length() < 1)
+ return (new RE[0]);
+ list += ",";
+
+ ArrayList reList = new ArrayList();
+ while (list.length() > 0) {
+ int comma = list.indexOf(',');
+ if (comma < 0)
+ break;
+ String pattern = list.substring(0, comma).trim();
+ try {
+ reList.add(new RE(pattern));
+ } catch (RESyntaxException e) {
+ throw new IllegalArgumentException
+ ("Syntax error in request filter pattern");
+ }
+ list = list.substring(comma + 1);
+ }
+
+ RE reArray[] = new RE[reList.size()];
+ return ((RE[]) reList.toArray(reArray));
+
+ }
+
}
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
