URL based permissions adding broken in balrog

VERIFIED FIXED

Status

Infrastructure & Operations Graveyard
WebOps: Product Delivery
VERIFIED FIXED
4 years ago
10 months ago

People

(Reporter: bhearsum, Assigned: solarce)

Tracking

Details

(Whiteboard: [reit-ops])

(Reporter)

Description

4 years ago
Just got this when I tried to add a specific permission for ffxbld in Balrog prod:
The requested URL /users/ffxbld/permissions//releases/:name/builds/:platform/:locale was not found on this server.

I'm suspecting something is broken in the routing.
(Reporter)

Updated

4 years ago
Component: Tools → Balrog: Backend
QA Contact: hwine → bhearsum
(Reporter)

Comment 1

3 years ago
I was able to reproduce this locally and discovered this:
[Wed Jan 08 15:45:08.086283 2014] [core:info] [pid 4121] [client 127.0.0.1:43758] AH00026: found %2f (encoded '/') in URI (decoded='/users/stage/permissions//releases/:name/builds/:platform/:locale'), returning 404, referer: http://localhost/user_permissions.html?username=stage

After some googling, I found that setting AllowEncodedSlashes to On or NoDecode fixes the issue.
(Reporter)

Comment 2

3 years ago
And from the Apache docs: "If encoded slashes are needed in path info, use of NoDecode is strongly recommended as a security measure. Allowing slashes to be decoded could potentially allow unsafe paths." - so we should be using NoDecode.

IT, can we get "AllowEncodedSlashes NoDecode" set for all of the aus4 admin apps (dev, stage, prod).
Component: Balrog: Backend → WebOps: Product Delivery
Product: Release Engineering → Infrastructure & Operations
QA Contact: bhearsum → nmaul
Version: unspecified → other
(Reporter)

Comment 3

3 years ago
Whoops, this probably shouldn't be assigned to me anymore...
Assignee: bhearsum → server-ops-webops
(Reporter)

Comment 4

3 years ago
Any idea when someone can get to this?
Flags: needinfo?(nmaul)
Whiteboard: [reit-ops]
(Assignee)

Updated

3 years ago
Assignee: server-ops-webops → bburton
Flags: needinfo?(nmaul)
(Assignee)

Comment 5

3 years ago
Unfortunately we can't use NoDecode because it only ships in 2.2.18 [1] or newer and RHEL 6 httpd is 2.2.15 with backported security patches

[1] http://httpd.apache.org/docs/2.2/mod/core.html#allowencodedslashes

Should I set it with just "AllowEncodedSlashes On"?
(Reporter)

Comment 6

3 years ago
(In reply to Brandon Burton [:solarce] from comment #5)
> Unfortunately we can't use NoDecode because it only ships in 2.2.18 [1] or
> newer and RHEL 6 httpd is 2.2.15 with backported security patches
> 
> [1] http://httpd.apache.org/docs/2.2/mod/core.html#allowencodedslashes
> 
> Should I set it with just "AllowEncodedSlashes On"?

That sounds fine to me.
(Assignee)

Comment 7

3 years ago
Shipped to dev, stage, and prod via Puppet
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → FIXED
(Reporter)

Comment 8

3 years ago
Verified - thanks!
Status: RESOLVED → VERIFIED
Product: Infrastructure & Operations → Infrastructure & Operations Graveyard
You need to log in before you can comment on or make changes to this bug.