Commit 4f32fe08 authored by Łukasz Nowak's avatar Łukasz Nowak Committed by Łukasz Nowak

caddy-frontend: Defend against malformed virtualhostroot

parent c7ee2259
...@@ -58,7 +58,7 @@ md5sum = f20d6c3d2d94fb685f8d26dfca1e822b ...@@ -58,7 +58,7 @@ md5sum = f20d6c3d2d94fb685f8d26dfca1e822b
[template-default-slave-virtualhost] [template-default-slave-virtualhost]
filename = templates/default-virtualhost.conf.in filename = templates/default-virtualhost.conf.in
md5sum = d9269cc085752e09f4acce37a18e160c md5sum = 6635cfaf5eeb46ec6b97bd7a12ffc4e3
[template-cached-slave-virtualhost] [template-cached-slave-virtualhost]
filename = templates/cached-virtualhost.conf.in filename = templates/cached-virtualhost.conf.in
......
...@@ -94,7 +94,7 @@ ...@@ -94,7 +94,7 @@
{%- endif %} {#- if 'default-path' in slave_parameter #} {%- endif %} {#- if 'default-path' in slave_parameter #}
rewrite { rewrite {
regexp (.*) regexp (.*)
to /VirtualHostBase/{scheme}%2F%2F{hostonly}:{{ slave_parameter.get('virtualhostroot-https-port', '443') }}%2F{{ slave_parameter.get('path', '') }}%2FVirtualHostRoot/{1} to /VirtualHostBase/{scheme}%2F%2F{hostonly}:{{ slave_parameter.get('virtualhostroot-https-port', '443') | int }}%2F{{ slave_parameter.get('path', '') }}%2FVirtualHostRoot/{1}
} {# rewrite #} } {# rewrite #}
{%- elif slave_type == 'redirect' and backend_url %} {#- if slave_type == 'zope' and backend_url #} {%- elif slave_type == 'redirect' and backend_url %} {#- if slave_type == 'zope' and backend_url #}
# Redirect configuration # Redirect configuration
...@@ -216,7 +216,7 @@ ...@@ -216,7 +216,7 @@
{%- endif %} {#- if 'default-path' in slave_parameter #} {%- endif %} {#- if 'default-path' in slave_parameter #}
rewrite { rewrite {
regexp (.*) regexp (.*)
to /VirtualHostBase/{scheme}%2F%2F{hostonly}:{{ slave_parameter.get('virtualhostroot-http-port', '80') }}%2F{{ slave_parameter.get('path', '') }}%2FVirtualHostRoot/{1} to /VirtualHostBase/{scheme}%2F%2F{hostonly}:{{ slave_parameter.get('virtualhostroot-http-port', '80') | int }}%2F{{ slave_parameter.get('path', '') }}%2FVirtualHostRoot/{1}
} {# rewrite #} } {# rewrite #}
{%- else %} {#- if https_only #} {%- else %} {#- if https_only #}
# Default configuration # Default configuration
......
...@@ -3042,6 +3042,16 @@ class TestSlaveBadParameters(SlaveHttpFrontendTestCase, TestDataMixin): ...@@ -3042,6 +3042,16 @@ class TestSlaveBadParameters(SlaveHttpFrontendTestCase, TestDataMixin):
'server-alias-unsafe': { 'server-alias-unsafe': {
'server-alias': '${section:option} afterspace', 'server-alias': '${section:option} afterspace',
}, },
'virtualhostroot-http-port-unsafe': {
'type': 'zope',
'url': cls.backend_url,
'virtualhostroot-http-port': '${section:option}',
},
'virtualhostroot-https-port-unsafe': {
'type': 'zope',
'url': cls.backend_url,
'virtualhostroot-https-port': '${section:option}',
},
} }
def test_master_partition_state(self): def test_master_partition_state(self):
...@@ -3051,9 +3061,9 @@ class TestSlaveBadParameters(SlaveHttpFrontendTestCase, TestDataMixin): ...@@ -3051,9 +3061,9 @@ class TestSlaveBadParameters(SlaveHttpFrontendTestCase, TestDataMixin):
expected_parameter_dict = { expected_parameter_dict = {
'monitor-base-url': None, 'monitor-base-url': None,
'domain': 'example.com', 'domain': 'example.com',
'accepted-slave-amount': '2', 'accepted-slave-amount': '4',
'rejected-slave-amount': '2', 'rejected-slave-amount': '2',
'slave-amount': '4', 'slave-amount': '6',
'rejected-slave-list': 'rejected-slave-list':
'["_server-alias-unsafe", "_custom_domain-unsafe"]'} '["_server-alias-unsafe", "_custom_domain-unsafe"]'}
...@@ -3157,3 +3167,63 @@ class TestSlaveBadParameters(SlaveHttpFrontendTestCase, TestDataMixin): ...@@ -3157,3 +3167,63 @@ class TestSlaveBadParameters(SlaveHttpFrontendTestCase, TestDataMixin):
parameter_dict, parameter_dict,
{} {}
) )
def test_virtualhostroot_http_port_unsafe(self):
parameter_dict = self.slave_connection_parameter_dict_dict[
'virtualhostroot-http-port-unsafe']
self.assertLogAccessUrlWithPop(
parameter_dict, 'virtualhostroot-http-port-unsafe')
self.assertEqual(
parameter_dict,
{
'domain': 'virtualhostroothttpportunsafe.example.com',
'replication_number': '1',
'url': 'http://virtualhostroothttpportunsafe.example.com',
'site_url': 'http://virtualhostroothttpportunsafe.example.com',
'secure_access':
'https://virtualhostroothttpportunsafe.example.com',
'public-ipv4': LOCAL_IPV4,
}
)
result = self.fakeHTTPResult(
parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
self.assertEqualResultJson(
result,
'Path',
'/VirtualHostBase/http//virtualhostroothttpportunsafe'
'.example.com:0//VirtualHostRoot/test-path'
)
def test_virtualhostroot_https_port_unsafe(self):
parameter_dict = self.slave_connection_parameter_dict_dict[
'virtualhostroot-https-port-unsafe']
self.assertLogAccessUrlWithPop(
parameter_dict, 'virtualhostroot-https-port-unsafe')
self.assertEqual(
parameter_dict,
{
'domain': 'virtualhostroothttpsportunsafe.example.com',
'replication_number': '1',
'url': 'http://virtualhostroothttpsportunsafe.example.com',
'site_url': 'http://virtualhostroothttpsportunsafe.example.com',
'secure_access':
'https://virtualhostroothttpsportunsafe.example.com',
'public-ipv4': LOCAL_IPV4,
}
)
result = self.fakeHTTPSResult(
parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
self.assertEqual(
der2pem(result.peercert),
open('wildcard.example.com.crt').read())
self.assertEqualResultJson(
result,
'Path',
'/VirtualHostBase/https//virtualhostroothttpsportunsafe'
'.example.com:0//VirtualHostRoot/test-path'
)
...@@ -5,6 +5,10 @@ TestSlaveBadParameters-1/var/log/httpd/_re6st-optimal-test-nocomma_access_log ...@@ -5,6 +5,10 @@ TestSlaveBadParameters-1/var/log/httpd/_re6st-optimal-test-nocomma_access_log
TestSlaveBadParameters-1/var/log/httpd/_re6st-optimal-test-nocomma_error_log TestSlaveBadParameters-1/var/log/httpd/_re6st-optimal-test-nocomma_error_log
TestSlaveBadParameters-1/var/log/httpd/_re6st-optimal-test-unsafe_access_log TestSlaveBadParameters-1/var/log/httpd/_re6st-optimal-test-unsafe_access_log
TestSlaveBadParameters-1/var/log/httpd/_re6st-optimal-test-unsafe_error_log TestSlaveBadParameters-1/var/log/httpd/_re6st-optimal-test-unsafe_error_log
TestSlaveBadParameters-1/var/log/httpd/_virtualhostroot-http-port-unsafe_access_log
TestSlaveBadParameters-1/var/log/httpd/_virtualhostroot-http-port-unsafe_error_log
TestSlaveBadParameters-1/var/log/httpd/_virtualhostroot-https-port-unsafe_access_log
TestSlaveBadParameters-1/var/log/httpd/_virtualhostroot-https-port-unsafe_error_log
TestSlaveBadParameters-1/var/log/monitor-httpd-error.log TestSlaveBadParameters-1/var/log/monitor-httpd-error.log
TestSlaveBadParameters-1/var/log/nginx-access.log TestSlaveBadParameters-1/var/log/nginx-access.log
TestSlaveBadParameters-1/var/log/nginx-error.log TestSlaveBadParameters-1/var/log/nginx-error.log
......
...@@ -3,3 +3,7 @@ TestSlaveBadParameters-1/etc/monitor-promise/check-_re6st-optimal-test-nocomma-e ...@@ -3,3 +3,7 @@ TestSlaveBadParameters-1/etc/monitor-promise/check-_re6st-optimal-test-nocomma-e
TestSlaveBadParameters-1/etc/monitor-promise/check-_re6st-optimal-test-unsafe-error-log-last-day TestSlaveBadParameters-1/etc/monitor-promise/check-_re6st-optimal-test-unsafe-error-log-last-day
TestSlaveBadParameters-1/etc/monitor-promise/check-_re6st-optimal-test-unsafe-error-log-last-hour TestSlaveBadParameters-1/etc/monitor-promise/check-_re6st-optimal-test-unsafe-error-log-last-hour
TestSlaveBadParameters-1/etc/monitor-promise/check-_re6st-optimal-test-unsafe-re6st-optimal-test TestSlaveBadParameters-1/etc/monitor-promise/check-_re6st-optimal-test-unsafe-re6st-optimal-test
TestSlaveBadParameters-1/etc/monitor-promise/check-_virtualhostroot-http-port-unsafe-error-log-last-day
TestSlaveBadParameters-1/etc/monitor-promise/check-_virtualhostroot-http-port-unsafe-error-log-last-hour
TestSlaveBadParameters-1/etc/monitor-promise/check-_virtualhostroot-https-port-unsafe-error-log-last-day
TestSlaveBadParameters-1/etc/monitor-promise/check-_virtualhostroot-https-port-unsafe-error-log-last-hour
\ No newline at end of file
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment