Bug 1010485 - Apache plugin's WWWUtil should not follow HTTP redirects
Apache plugin's WWWUtil should not follow HTTP redirects
Status: CLOSED CURRENTRELEASE
Product: RHQ Project
Classification: Other
Component: Plugins (Show other bugs)
4.9
Unspecified Unspecified
unspecified Severity unspecified (vote)
: ---
: RHQ 4.10
Assigned To: RHQ Project Maintainer
Mike Foley
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-09-20 16:55 EDT by Elias Ross
Modified: 2014-04-23 08:31 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-04-23 08:31:27 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Elias Ross 2013-09-20 16:55:41 EDT
Description of problem:

Availability checks for Apache using the standard Java URL class when hitting redirects, were actually attempting to connect to remote sites when receiving a 300-series error. For when Apache is deployed in a datacenter, this can mean the check is actually hitting a web server outside of the datacenter which can fail, usually in the form of a timeout.

Version-Release number of selected component (if applicable): 4.9


How reproducible: Always, in some cases.


Steps to Reproduce:
1. Have Apache redirect / to a URL that times out (is host inaccessible, behind a firewall, etc.)
2. Observe 302 in the Apache request error log and timeouts in RHQ


Additional info:


commit 816e77ed7344c37a4c3ec42023f37cada62b1345
Author: Elias Ross <elias_ross@apple.com>
Date:   Fri Sep 20 13:54:29 2013 -0700

    BZ - fix issue with following redirects

diff --git a/modules/plugins/apache/src/main/java/org/rhq/plugins/www/util/WWWUtils.java b/modules/plugins/apache/src/main/java/org/rhq/plugins/www/util/WWWUtils.java
index 206db58..d84c1a2 100644
--- a/modules/plugins/apache/src/main/java/org/rhq/plugins/www/util/WWWUtils.java
+++ b/modules/plugins/apache/src/main/java/org/rhq/plugins/www/util/WWWUtils.java
@@ -102,6 +102,7 @@ public static AvailabilityResult checkAvailability(URL httpURL, int timeout) {
         HttpURLConnection connection;
         try {
             connection = (HttpURLConnection) httpURL.openConnection();
+            connection.setInstanceFollowRedirects(false);
         } catch (IOException e) {
             String errorMessage = "Failed to open URLConnection for [" + httpURL + "].";
             LOG.error(errorMessage, e);


Probably should be applied as well to GET attempts.
Comment 1 Elias Ross 2013-09-20 16:57:55 EDT
It might make more sense to turn off redirects completely in the plugin container. I can't think of too many cases where this is the desired behavior, and may be a security issue besides.
Comment 2 Libor Zoubek 2014-02-20 08:46:37 EST
Elias, thank you for contribution. What exactly do you mean by turning it off completely in plugin container? I'd open up a new BZ for it, because there might be a big impact.

In master

commit fd35779a4925d0eee70620bcc7cb47b77de4efc0
Author: Elias Ross <elias_ross@apple.com>
Date:   Thu Feb 20 14:34:46 2014 +0100

    [BZ 1010485] Apache plugin's WWWUtil should not follow HTTP redirects
Comment 3 Elias Ross 2014-02-20 22:52:38 EST
I meant at the class level you can set allow redirects:

http://docs.oracle.com/javase/7/docs/api/java/net/HttpURLConnection.html#setFollowRedirects(boolean)

What could happen is initially a URL is being tested (perhaps with login credentials), and if the service is replaced (possibly by a hacker), the request could be redirected offsite. This seems like a bad idea.

This could happen in a third-party plugin as well. I'm just saying it is behavior that might be undesirable by default.
Comment 4 Heiko W. Rupp 2014-04-23 08:31:27 EDT
Bulk closing of 4.10 issues.

If an issue is not solved for you, please open a new BZ (or clone the existing one) with a version designator of 4.10.

Note You need to log in before you can comment on or make changes to this bug.