diff options
| author | Fraser Tweedale <ftweedal@redhat.com> | 2015-11-05 00:17:24 -0500 |
|---|---|---|
| committer | Fraser Tweedale <ftweedal@redhat.com> | 2016-01-21 13:38:32 +1000 |
| commit | cbcdeddc2e794be3955edf20ea1597e58c443ba6 (patch) | |
| tree | bf30ca1f87ba457efaf7aed8c91e37e3a7766045 /base/server/upgrade/10.3.0 | |
| parent | 5fae5826e5442d7266681d19f282dc7728062b89 (diff) | |
| download | pki-cbcdeddc2e794be3955edf20ea1597e58c443ba6.tar.gz pki-cbcdeddc2e794be3955edf20ea1597e58c443ba6.tar.xz pki-cbcdeddc2e794be3955edf20ea1597e58c443ba6.zip | |
Allow encoded slashes in HTTP paths
Properly formed GET-based OCSP requests can contain URL-encoded
slashes in the HTTP path[1] but our Tomcat configuration does not
permit this (returns 400 Bad Request). Change catalina.properties
to allow URL-encoded slashes in HTTP paths.
[1] https://tools.ietf.org/html/rfc6960#appendix-A.1
Also add an upgrade script to update catalina.properties in existing
instances.
Fixes: https://fedorahosted.org/pki/ticket/1658
Diffstat (limited to 'base/server/upgrade/10.3.0')
| -rwxr-xr-x | base/server/upgrade/10.3.0/01-AllowEncodedSlash | 37 |
1 files changed, 37 insertions, 0 deletions
diff --git a/base/server/upgrade/10.3.0/01-AllowEncodedSlash b/base/server/upgrade/10.3.0/01-AllowEncodedSlash new file mode 100755 index 000000000..3225d3a7e --- /dev/null +++ b/base/server/upgrade/10.3.0/01-AllowEncodedSlash @@ -0,0 +1,37 @@ +#!/usr/bin/python +# Authors: +# Fraser Tweedale <ftweedal@redhat.com> +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2016 Red Hat, Inc. +# All rights reserved. + +from __future__ import absolute_import +import os.path +import pki.server.upgrade + +class AllowEncodedSlash(pki.server.upgrade.PKIServerUpgradeScriptlet): + + def __init__(self): + super(AllowEncodedSlash, self).__init__() + self.message = 'Enable Tomcat ALLOW_ENCODED_SLASH parameter' + + def upgrade_instance(self, instance): + path = os.path.join(instance.base_dir, 'conf', 'catalina.properties') + if os.path.isfile(path): + with open(path, 'a+') as f: + data = f.read() + if 'ALLOW_ENCODED_SLASH=' not in data: + f.write('\norg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true\n') |