Fix HTTP Request formatting in AdminConnection #489

cipherboy · 2020-07-21T19:14:02Z

AdminConnection's processRequest method creates a hand-rolled HTTP
request to the remote server. This is used by PKI Console when
authenticated as an administrator. Because of the recent CVE fix in
Tomcat (CVE-2020-1935), Tomcat will no longer accept \n (Line Feed)
terminated requests and headers, and instead reject them as a bad
request. We fix this by adding the missing and required CR, per HTTP
specification.

This fixes the following exception in PKIConsole:

java.io.IOException: 400
    at com.netscape.admin.certsrv.connection.JSSConnection.readHeader(JSSConnection.java:537)
    at com.netscape.admin.certsrv.connection.JSSConnection.initReadResponse(JSSConnection.java:497)
    at com.netscape.admin.certsrv.connection.JSSConnection.sendRequest(JSSConnection.java:411)
    at com.netscape.admin.certsrv.connection.AdminConnection.processRequest(AdminConnection.java:788)
    at com.netscape.admin.certsrv.connection.AdminConnection.sendRequest(AdminConnection.java:681)
    at com.netscape.admin.certsrv.connection.AdminConnection.sendRequest(AdminConnection.java:646)
    at com.netscape.admin.certsrv.connection.AdminConnection.authType(AdminConnection.java:379)
    at com.netscape.admin.certsrv.CMSServerInfo.getAuthType(CMSServerInfo.java:128)

Signed-off-by: Alexander Scheel <ascheel@redhat.com>

edewata

LGTM

AdminConnection's processRequest method creates a hand-rolled HTTP request to the remote server. This is used by PKI Console when authenticated as an administrator. Because of the recent CVE fix in Tomcat (CVE-2020-1935), Tomcat will no longer accept \n (Line Feed) terminated requests and headers, and instead reject them as a bad request. We fix this by adding the missing and required CR, per HTTP specification. This fixes the following exception in PKIConsole: java.io.IOException: 400 at com.netscape.admin.certsrv.connection.JSSConnection.readHeader(JSSConnection.java:537) at com.netscape.admin.certsrv.connection.JSSConnection.initReadResponse(JSSConnection.java:497) at com.netscape.admin.certsrv.connection.JSSConnection.sendRequest(JSSConnection.java:411) at com.netscape.admin.certsrv.connection.AdminConnection.processRequest(AdminConnection.java:788) at com.netscape.admin.certsrv.connection.AdminConnection.sendRequest(AdminConnection.java:681) at com.netscape.admin.certsrv.connection.AdminConnection.sendRequest(AdminConnection.java:646) at com.netscape.admin.certsrv.connection.AdminConnection.authType(AdminConnection.java:379) at com.netscape.admin.certsrv.CMSServerInfo.getAuthType(CMSServerInfo.java:128) Signed-off-by: Alexander Scheel <ascheel@redhat.com>

cipherboy added the Bug Bug fixes label Jul 21, 2020

cipherboy requested a review from edewata July 21, 2020 19:14

cipherboy self-assigned this Jul 21, 2020

cipherboy force-pushed the fix-pki-console-requests branch from 997560a to ac6be67 Compare July 21, 2020 19:18

edewata approved these changes Jul 21, 2020

View reviewed changes

cipherboy force-pushed the fix-pki-console-requests branch 4 times, most recently from a7c6c2e to 074f453 Compare July 21, 2020 19:45

cipherboy force-pushed the fix-pki-console-requests branch from 074f453 to cbe2f4b Compare July 21, 2020 19:55

cipherboy merged commit ec612db into dogtagpki:master Jul 21, 2020

This was referenced Oct 1, 2020

Pkiconsole not opening - Server unreachable pki-bot/pki-issues-final#2737

Closed

Pkiconsole not opening - Server unreachable #3305

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Fix HTTP Request formatting in AdminConnection #489

Fix HTTP Request formatting in AdminConnection #489

cipherboy commented Jul 21, 2020

edewata left a comment

Fix HTTP Request formatting in AdminConnection #489

Fix HTTP Request formatting in AdminConnection #489

Conversation

cipherboy commented Jul 21, 2020

edewata left a comment

Choose a reason for hiding this comment