DO NOT REPLY [Bug 51463] New: Tomcat.setBaseDir (package org.apache.catalina.startup) should use temp directory as default instead of current directory

Fri, 01 Jul 2011 10:29:58 -0700 

https://issues.apache.org/bugzilla/show_bug.cgi?id=51463

             Bug #: 51463
           Summary: Tomcat.setBaseDir  (package
                    org.apache.catalina.startup)  should use temp
                    directory as default instead of current directory
           Product: Tomcat 7
           Version: trunk
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: minor
          Priority: P2
         Component: Catalina
        AssignedTo: dev@tomcat.apache.org
        ReportedBy: business2008+issues.apache....@rodneybeede.com
    Classification: Unclassified


Currently the JavaDoc for the Tomcat.setBaseDir method states:

     * Tomcat needs a directory for temp files. This should be the 
     * first method called. 
     * 
     * By default, if this method is not called, we use:
     *  - system properties - catalina.base, catalina.home 
     *  - $HOME/tomcat.$PORT
     * ( /tmp doesn't seem a good choice for security ).
     *   
     *
     * TODO: better default ? Maybe current dir ? 
     * TODO: disable work dir if not needed ( no jsp, etc ).




----------------

The temporary directory of the system as per "java.io.tmpdir"
(System.getProperties()) should be used.  Use of the current directory
("user.dir") as a default isn't really anymore secure since the current working
directory may or may not be locked down anyway (ex: many Linux systems default
to user directories being browsable by others).

Java 7 will have support in the NIO packages for creating files with
permissions at the outset.  For older Java versions there isn't a nice work
around other than things that would call platform specific external commands.

Perhaps if catalina.base & catalina.home are not found then check to see if
native JNI calls, system exec calls, or Java 7 calls could be made to create
the directory structure in the java.io.tmpdir directory.  If not throw a
SecureTempDirectoryUnavailableException with JavaDoc or an error message
stating that one way to handle the problem is to call setBaseDir on a directory
the programmer can trust.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to