Bug 65481 - PUT request considered as GET by "require " directives
Summary: PUT request considered as GET by "require " directives
Status: NEEDINFO
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_authz_core (show other bugs)
Version: 2.4.29
Hardware: PC Linux
: P2 regression (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-08-05 07:02 UTC by ajirge
Modified: 2021-08-12 11:32 UTC (History)
0 users



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description ajirge 2021-08-05 07:02:43 UTC
Error

2021-08-05T06:49:12+00:00 <hostname> httpd[15433]: [authz_core:error] [pid 15433] [cli
ent 10.44.x.xx:60101] AH01630: client denied by server configuration: /home/www/xxxx/php/receiver/Upload/Queued/file3.txt


Curl request

curl -kv -u "$UPDLOGIN:$UPDPASS" -T /root/install.log "$NOCURL/receiver/Upload/Queued/file3.txt" 2>&1)



Httpd/access_log

10.44.1.17 - <username> [05/Aug/2021:06:53:23 +0000] "PUT /receiver/Upload/Queued/file3.txt HTTP/1.1" 200 - "-" "curl/7.71.1" 17102 0


httpd.conf


 <Directory "/home/www/XXX/php/receiver/Upload">
        require method PUT
        AllowOverride All
        Options -Indexes +FollowSymLinks -Includes
        AuthName      "NocHost"
        AuthType      Basic
        AuthUserFile  /home/www/XXX/conf/htpasswd_host
        Script PUT /receiver/put.php
        <Limit PUT>
            require valid-user
        </Limit>
    </Directory>


Conclusion ::

if require clause is modified as follows, It overcomes the errors but I expect to limit the requests to the PUT method only.

     require method PUT GET


Here the PUT requests are considered as GET methods and hence generates errors if GET requests are blocked.
Comment 1 Eric Covener 2021-08-05 11:30:23 UTC
Please post full matching access/error logs @ LogLevel trace8
Comment 2 ajirge 2021-08-05 18:20:47 UTC
Apache Configuration


LogLevel trace8
ErrorLog syslog:local0
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %P %T" combined
CustomLog "|/usr/sbin/httplog /var/log/httpd/access_log.%Y%m%d" combined


<VirtualHost _default_:50011>

    ServerName example.com
    DocumentRoot /home/www/xxx/php
    ErrorLog syslog:local1
    CustomLog "| /usr/sbin/httplog /var/log/httpd/xxx_access_log.%Y%m%d" combined
	
	<Directory "/home/www/xxx/php/receiver/Upload">
        require method PUT
        AllowOverride All
        Options -Indexes +FollowSymLinks -Includes
        AuthName      "NocHost"
        AuthType      Basic
        AuthUserFile  /home/www/xxx/conf/htpasswd_host
        Script PUT /receiver/put.php
        <Limit PUT>
            require valid-user
        </Limit>
    </Directory>
</VirtualHost>


Curl Request


[root@localhost ~]# (. /usr/local/example/admin/etc/admin.conf; curl -kv -u "$UPDLOGIN:$UPDPASS" -T /root/install.log "$NOCURL/receiver/Upload/Queued/file3.txt" 2>&1)

*   Trying 10.44.3.55:443...
* Connected to xxx.p32.eng.sjc01.example.com (10.44.3.55) port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / AES256-SHA
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: C=US; ST=California; L=Foster City; O=example, Inc.; OU=Engineering; CN=*.p32.eng.sjc01.example.com
*  start date: Feb 15 04:55:00 2021 GMT
*  expire date: Feb 15 04:55:00 2022 GMT
*  issuer: C=US; ST=California; L=Redwood City; O=example, Inc.; OU=Operations; CN=example Ops T2v1; emailAddress=ops@example.com
*  SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway.
* Server auth using Basic with user '099991506691'
> PUT /receiver/Upload/Queued/file3.txt HTTP/1.1
> Host: xxx.p32.eng.sjc01.example.com
> Authorization: Basic MxxxxxtoLis=
> User-Agent: curl/7.71.1
> Accept: */*
> Content-Length: 10034
> Expect: 100-continue
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 100 Continue
* We are completely uploaded and fine
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 Created
< Date: Thu, 05 Aug 2021 18:10:58 GMT
< Server: Apache
< X-XSS-Protection: 1; mode=block
< X-Content-Type-Options: nosniff
< X-Frame-Options: SAMEORIGIN
< Strict-Transport-Security: max-age=31536000; includeSubDomains
< Content-Length: 0
< Content-Type: text/html; charset=UTF-8
<
* Connection #0 to host xxx.p32.eng.sjc01.example.com left intact



/var/log/messages



2021-08-05T18:10:25+00:00 mon02.p32.eng.sjc01.example.com systemd[1]: Started LSB: start and stop Apache HTTP Server.
2021-08-05T18:10:25+00:00 mon02.p32.eng.sjc01.example.com httpd[28345]: [mpm_prefork:notice] [pid 28345] AH00163: Apache/2.4.29 (Unix) OpenSSL/1.0.2k-fips configured -- resuming normal operations
2021-08-05T18:10:25+00:00 mon02.p32.eng.sjc01.example.com httpd[28345]: [mpm_prefork:info] [pid 28345] AH00164: Server built: Dec 28 2020 12:40:18
2021-08-05T18:10:25+00:00 mon02.p32.eng.sjc01.example.com httpd[28345]: [core:notice] [pid 28345] AH00094: Command line: '/usr/sbin/httpd'
2021-08-05T18:10:58+00:00 mon02.p32.eng.sjc01.example.com httpd[28357]: [authz_core:error] [pid 28357] [client 10.44.1.17:23881] AH01630: client denied by server configuration: /home/www/xxx/php/receiver/Upload/Queued/file3.txt



/var/log/httpd/xxx_access_log

10.44.1.17 - 099991506691 [05/Aug/2021:18:10:58 +0000] "PUT /receiver/Upload/Queued/file3.txt HTTP/1.1" 200 - "-" "curl/7.71.1" 28357 0




But if we replace "require method PUT" with "require method PUT GET", the error AH1630 vanishes.
(In reply to Eric Covener from comment #1)
> Please post full matching access/error logs @ LogLevel trace8
Comment 3 Christophe JAILLET 2021-08-06 09:54:51 UTC
Hi,

I guess that your error_log file should be more verbose than what your have provided.

Are your sure that your login/password are correct?
What if you remove the <Limit PUT> block in the conf? Does GET still succeeds?
Comment 4 ajirge 2021-08-09 06:10:17 UTC
(In reply to Christophe JAILLET from comment #3)
> Hi,
> 
> I guess that your error_log file should be more verbose than what your have
> provided.
> 
> Are your sure that your login/password are correct?
> What if you remove the <Limit PUT> block in the conf? Does GET still
> succeeds?

I tried enable all possible to enable verbose logs. But debug mode generated very little information that I shared on the bug.

The credential provided is also correct. 

If I remove the <Limit PUT> block, GET fails. In fact, GET always fails if only PUT is allowed. (<LIMIT PUT> or require method PUT).

In this bug, Everything is working as expected. I am able to upload files using the PUT method successfully with VALID credentials.

The only thing wrong here is an error message which is getting generated in the error logs(However it does not have any adverse effect on the workflow of PUT).


For compliance reasons, we need to address every Error. And to suppress these error messages we can not allow the GET method for security reasons.
Comment 5 Eric Covener 2021-08-12 11:32:42 UTC
Does this act any better?

 <Directory "/home/www/XXX/php/receiver/Upload">
        <RequireAll>
          require method PUT
          require valid-user
        </RequireAll>
        AllowOverride All
        Options -Indexes +FollowSymLinks -Includes
        AuthName      "NocHost"
        AuthType      Basic
        AuthUserFile  /home/www/XXX/conf/htpasswd_host
        Script PUT /receiver/put.php
    </Directory>

Does your config similarly protect direct access to /receiver/put.php?
Does the error message get triggered when /receiver/put.php is accessed directly?