Commit 4f32fe08 authored by Łukasz Nowak's avatar Łukasz Nowak Committed by Łukasz Nowak

caddy-frontend: Defend against malformed virtualhostroot

parent c7ee2259
......@@ -58,7 +58,7 @@ md5sum = f20d6c3d2d94fb685f8d26dfca1e822b
[template-default-slave-virtualhost]
filename = templates/default-virtualhost.conf.in
md5sum = d9269cc085752e09f4acce37a18e160c
md5sum = 6635cfaf5eeb46ec6b97bd7a12ffc4e3
[template-cached-slave-virtualhost]
filename = templates/cached-virtualhost.conf.in
......
......@@ -94,7 +94,7 @@
{%- endif %} {#- if 'default-path' in slave_parameter #}
rewrite {
regexp (.*)
to /VirtualHostBase/{scheme}%2F%2F{hostonly}:{{ slave_parameter.get('virtualhostroot-https-port', '443') }}%2F{{ slave_parameter.get('path', '') }}%2FVirtualHostRoot/{1}
to /VirtualHostBase/{scheme}%2F%2F{hostonly}:{{ slave_parameter.get('virtualhostroot-https-port', '443') | int }}%2F{{ slave_parameter.get('path', '') }}%2FVirtualHostRoot/{1}
} {# rewrite #}
{%- elif slave_type == 'redirect' and backend_url %} {#- if slave_type == 'zope' and backend_url #}
# Redirect configuration
......@@ -216,7 +216,7 @@
{%- endif %} {#- if 'default-path' in slave_parameter #}
rewrite {
regexp (.*)
to /VirtualHostBase/{scheme}%2F%2F{hostonly}:{{ slave_parameter.get('virtualhostroot-http-port', '80') }}%2F{{ slave_parameter.get('path', '') }}%2FVirtualHostRoot/{1}
to /VirtualHostBase/{scheme}%2F%2F{hostonly}:{{ slave_parameter.get('virtualhostroot-http-port', '80') | int }}%2F{{ slave_parameter.get('path', '') }}%2FVirtualHostRoot/{1}
} {# rewrite #}
{%- else %} {#- if https_only #}
# Default configuration
......
......@@ -3042,6 +3042,16 @@ class TestSlaveBadParameters(SlaveHttpFrontendTestCase, TestDataMixin):
'server-alias-unsafe': {
'server-alias': '${section:option} afterspace',
},
'virtualhostroot-http-port-unsafe': {
'type': 'zope',
'url': cls.backend_url,
'virtualhostroot-http-port': '${section:option}',
},
'virtualhostroot-https-port-unsafe': {
'type': 'zope',
'url': cls.backend_url,
'virtualhostroot-https-port': '${section:option}',
},
}
def test_master_partition_state(self):
......@@ -3051,9 +3061,9 @@ class TestSlaveBadParameters(SlaveHttpFrontendTestCase, TestDataMixin):
expected_parameter_dict = {
'monitor-base-url': None,
'domain': 'example.com',
'accepted-slave-amount': '2',
'accepted-slave-amount': '4',
'rejected-slave-amount': '2',
'slave-amount': '4',
'slave-amount': '6',
'rejected-slave-list':
'["_server-alias-unsafe", "_custom_domain-unsafe"]'}
......@@ -3157,3 +3167,63 @@ class TestSlaveBadParameters(SlaveHttpFrontendTestCase, TestDataMixin):
parameter_dict,
{}
)
def test_virtualhostroot_http_port_unsafe(self):
parameter_dict = self.slave_connection_parameter_dict_dict[
'virtualhostroot-http-port-unsafe']
self.assertLogAccessUrlWithPop(
parameter_dict, 'virtualhostroot-http-port-unsafe')
self.assertEqual(
parameter_dict,
{
'domain': 'virtualhostroothttpportunsafe.example.com',
'replication_number': '1',
'url': 'http://virtualhostroothttpportunsafe.example.com',
'site_url': 'http://virtualhostroothttpportunsafe.example.com',
'secure_access':
'https://virtualhostroothttpportunsafe.example.com',
'public-ipv4': LOCAL_IPV4,
}
)
result = self.fakeHTTPResult(
parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
self.assertEqualResultJson(
result,
'Path',
'/VirtualHostBase/http//virtualhostroothttpportunsafe'
'.example.com:0//VirtualHostRoot/test-path'
)
def test_virtualhostroot_https_port_unsafe(self):
parameter_dict = self.slave_connection_parameter_dict_dict[
'virtualhostroot-https-port-unsafe']
self.assertLogAccessUrlWithPop(
parameter_dict, 'virtualhostroot-https-port-unsafe')
self.assertEqual(
parameter_dict,
{
'domain': 'virtualhostroothttpsportunsafe.example.com',
'replication_number': '1',
'url': 'http://virtualhostroothttpsportunsafe.example.com',
'site_url': 'http://virtualhostroothttpsportunsafe.example.com',
'secure_access':
'https://virtualhostroothttpsportunsafe.example.com',
'public-ipv4': LOCAL_IPV4,
}
)
result = self.fakeHTTPSResult(
parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
self.assertEqual(
der2pem(result.peercert),
open('wildcard.example.com.crt').read())
self.assertEqualResultJson(
result,
'Path',
'/VirtualHostBase/https//virtualhostroothttpsportunsafe'
'.example.com:0//VirtualHostRoot/test-path'
)
......@@ -5,6 +5,10 @@ TestSlaveBadParameters-1/var/log/httpd/_re6st-optimal-test-nocomma_access_log
TestSlaveBadParameters-1/var/log/httpd/_re6st-optimal-test-nocomma_error_log
TestSlaveBadParameters-1/var/log/httpd/_re6st-optimal-test-unsafe_access_log
TestSlaveBadParameters-1/var/log/httpd/_re6st-optimal-test-unsafe_error_log
TestSlaveBadParameters-1/var/log/httpd/_virtualhostroot-http-port-unsafe_access_log
TestSlaveBadParameters-1/var/log/httpd/_virtualhostroot-http-port-unsafe_error_log
TestSlaveBadParameters-1/var/log/httpd/_virtualhostroot-https-port-unsafe_access_log
TestSlaveBadParameters-1/var/log/httpd/_virtualhostroot-https-port-unsafe_error_log
TestSlaveBadParameters-1/var/log/monitor-httpd-error.log
TestSlaveBadParameters-1/var/log/nginx-access.log
TestSlaveBadParameters-1/var/log/nginx-error.log
......
......@@ -2,4 +2,8 @@ TestSlaveBadParameters-1/etc/monitor-promise/check-_re6st-optimal-test-nocomma-e
TestSlaveBadParameters-1/etc/monitor-promise/check-_re6st-optimal-test-nocomma-error-log-last-hour
TestSlaveBadParameters-1/etc/monitor-promise/check-_re6st-optimal-test-unsafe-error-log-last-day
TestSlaveBadParameters-1/etc/monitor-promise/check-_re6st-optimal-test-unsafe-error-log-last-hour
TestSlaveBadParameters-1/etc/monitor-promise/check-_re6st-optimal-test-unsafe-re6st-optimal-test
\ No newline at end of file
TestSlaveBadParameters-1/etc/monitor-promise/check-_re6st-optimal-test-unsafe-re6st-optimal-test
TestSlaveBadParameters-1/etc/monitor-promise/check-_virtualhostroot-http-port-unsafe-error-log-last-day
TestSlaveBadParameters-1/etc/monitor-promise/check-_virtualhostroot-http-port-unsafe-error-log-last-hour
TestSlaveBadParameters-1/etc/monitor-promise/check-_virtualhostroot-https-port-unsafe-error-log-last-day
TestSlaveBadParameters-1/etc/monitor-promise/check-_virtualhostroot-https-port-unsafe-error-log-last-hour
\ No newline at end of file
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment