Author: markt
Date: Fri Sep  8 09:36:08 2017
New Revision: 1807698

URL: http://svn.apache.org/viewvc?rev=1807698&view=rev
Log:
Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=61489
When using the CGI servlet, make the generation of command line arguments from 
the query string (as per section 4.4 of RFC 3875) optional and disabled by 
default.
Based on a patch by jm009

Modified:
    tomcat/trunk/conf/web.xml
    tomcat/trunk/java/org/apache/catalina/servlets/CGIServlet.java
    tomcat/trunk/webapps/docs/cgi-howto.xml
    tomcat/trunk/webapps/docs/changelog.xml

Modified: tomcat/trunk/conf/web.xml
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/conf/web.xml?rev=1807698&r1=1807697&r2=1807698&view=diff
==============================================================================
--- tomcat/trunk/conf/web.xml (original)
+++ tomcat/trunk/conf/web.xml Fri Sep  8 09:36:08 2017
@@ -346,6 +346,11 @@
   <!--                        If not set, then webAppRootDir is used.       -->
   <!--                        Recommended value: WEB-INF/cgi                -->
   <!--                                                                      -->
+  <!--   enableCmdLineArguments                                             -->
+  <!--                        Are command line parameters generated from    -->
+  <!--                        the query string as per section 4.4 of 3875   -->
+  <!--                        RFC? [false]                                  -->
+  <!--                                                                      -->
   <!--   executable           Name of the executable used to run the        -->
   <!--                        script. [perl]                                -->
   <!--                                                                      -->

Modified: tomcat/trunk/java/org/apache/catalina/servlets/CGIServlet.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/servlets/CGIServlet.java?rev=1807698&r1=1807697&r2=1807698&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/servlets/CGIServlet.java (original)
+++ tomcat/trunk/java/org/apache/catalina/servlets/CGIServlet.java Fri Sep  8 
09:36:08 2017
@@ -283,6 +283,13 @@ public final class CGIServlet extends Ht
     private final Hashtable<String,String> shellEnv = new Hashtable<>();
 
     /**
+     * Enable creation of script command line arguments from query-string.
+     * See https://tools.ietf.org/html/rfc3875#section-4.4
+     * 4.4.  The Script Command Line
+     */
+    private boolean enableCmdLineArguments = false;
+
+    /**
      * Sets instance variables.
      * <P>
      * Modified from Craig R. McClanahan's InvokerServlet
@@ -341,6 +348,11 @@ public final class CGIServlet extends Ht
             envHttpHeadersPattern =
                     
Pattern.compile(getServletConfig().getInitParameter("envHttpHeaders"));
         }
+
+        if (getServletConfig().getInitParameter("enableCmdLineArguments") != 
null) {
+            enableCmdLineArguments =
+                    
Boolean.parseBoolean(config.getInitParameter("enableCmdLineArguments"));
+        }
     }
 
 
@@ -670,9 +682,8 @@ public final class CGIServlet extends Ht
             // does not contain an unencoded "=" this is an indexed query.
             // The parsed query string becomes the command line parameters
             // for the cgi command.
-            if (req.getMethod().equals("GET")
-                || req.getMethod().equals("POST")
-                || req.getMethod().equals("HEAD")) {
+            if (enableCmdLineArguments && (req.getMethod().equals("GET")
+                || req.getMethod().equals("POST") || 
req.getMethod().equals("HEAD"))) {
                 String qs;
                 if (isIncluded) {
                     qs = (String) req.getAttribute(

Modified: tomcat/trunk/webapps/docs/cgi-howto.xml
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/cgi-howto.xml?rev=1807698&r1=1807697&r2=1807698&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/cgi-howto.xml (original)
+++ tomcat/trunk/webapps/docs/cgi-howto.xml Fri Sep  8 09:36:08 2017
@@ -96,6 +96,9 @@ the web application root directory + Fil
 By default there is no value, which results in the web application root
 directory being used as the search path. The recommended value is
 <code>WEB-INF/cgi</code></li>
+<li><strong>enableCmdLineArguments</strong> - Are command line parameters
+generated from the query string as per section 4.4 of 3875 RFC? The default is
+<code>false</code>.</li>
 <li><strong>executable</strong> - The name of the executable to be used to
 run the script. You may explicitly set this parameter to be an empty string
 if your script is itself executable (e.g. an exe file). Default is

Modified: tomcat/trunk/webapps/docs/changelog.xml
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1807698&r1=1807697&r2=1807698&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Fri Sep  8 09:36:08 2017
@@ -75,6 +75,12 @@
         added in Java 9 to only disable the caching for JAR URL connections.
         (markt)
       </add>
+      <add>
+        <bug>61489</bug>: When using the CGI servlet, make the generation of
+        command line arguments from the query string (as per section 4.4 of RFC
+        3875) optional and disabled by default. Based on a patch by jm009.
+        (markt)
+      </add>
     </changelog>
   </subsection>
   <subsection name="Coyote">



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to