Your message dated Tue, 12 Sep 2006 15:51:11 +0200
with message-id <[EMAIL PROTECTED]>
and subject line tomcat4: Tomcat ignores "allowLinking" resource on restart
(not reload) from manager
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: tomcat4
Version: 4.1.31-local-3
Severity: important
Tags: patch
Tomcat forgets "allowLinking" resource on restart from manager
interface.
Quick investigation has shown - during stop "allowLinking" resetting to
false and the system startup will fail.
I have found that bug in tomcat maillist
(http://issues.apache.org/bugzilla/show_bug.cgi?id=21818)
In HEAD that bug is fixed.
But in debian package not yet :-(
I have stolen a patch fron CVS and apply to source from debian package.
After install that package I had pass some test with restart
application from manager (I use log4j symlink in WEB-INF in my webapp). Its
work fine.
-- System Information:
Debian Release: 3.1
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.10-dl380-g3.guard
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Versions of packages tomcat4 depends on:
ii adduser 3.59 Add and remove users and groups
ii apache2-common 2.0.52-3 Next generation, scalable, extenda
ii libtomcat4-java 4.1.31-local-3 Java Servlet engine -- core librar
ii sun-j2sdk1.5 [java-compil 1.5.0+update01 Java(TM) 2 SDK, Standard Edition,
ii sun-j2sdk1.5debian [java- 0.18 Debian specific parts of Java(TM)
-- no debconf information
The patch:
diff -Nur
jakarta-tomcat-4.1.31-src.orig/catalina/src/share/org/apache/catalina/core/StandardContext.java
jakarta-tomcat-4.1.31-src/catalina/src/share/org/apache/catalina/core/StandardContext.java
---
jakarta-tomcat-4.1.31-src.orig/catalina/src/share/org/apache/catalina/core/StandardContext.java
2004-09-25 19:44:19.000000000 +0300
+++
jakarta-tomcat-4.1.31-src/catalina/src/share/org/apache/catalina/core/StandardContext.java
2005-02-10 16:39:03.000000000 +0200
@@ -82,7 +82,7 @@
*
* @author Craig R. McClanahan
* @author Remy Maucherat
- * @version $Revision: 1.125 $ $Date: 2004/08/26 21:32:20 $
+ * @version $Revision: 1.126 $ $Date: 2004/11/19 20:52:02 $
*/
public class StandardContext
@@ -134,7 +134,6 @@
*/
private boolean available = false;
-
/**
* The Locale to character set mapper for this application.
*/
@@ -417,6 +416,24 @@
/**
+ * Case sensitivity.
+ */
+ protected boolean caseSensitive = true;
+
+
+ /**
+ * Allow linking.
+ */
+ protected boolean allowLinking = false;
+
+
+ /**
+ * Cache TTL in ms.
+ */
+ protected int cacheTTL = 5000;
+
+
+ /**
* Caching allowed flag.
*/
protected boolean cachingAllowed = true;
@@ -427,6 +444,7 @@
*/
protected DirContext webappResources = null;
+
// ----------------------------------------------------- Context Properties
@@ -447,6 +465,55 @@
}
+
+ /**
+ * Set case sensitivity.
+ */
+ public void setCaseSensitive(boolean caseSensitive) {
+ this.caseSensitive = caseSensitive;
+ }
+
+
+ /**
+ * Is case sensitive ?
+ */
+ public boolean isCaseSensitive() {
+ return caseSensitive;
+ }
+
+
+ /**
+ * Set allow linking.
+ */
+ public void setAllowLinking(boolean allowLinking) {
+ this.allowLinking = allowLinking;
+ }
+
+
+ /**
+ * Is linking allowed.
+ */
+ public boolean isAllowLinking() {
+ return allowLinking;
+ }
+
+
+ /**
+ * Set cache TTL.
+ */
+ public void setCacheTTL(int cacheTTL) {
+ this.cacheTTL = cacheTTL;
+ }
+
+
+ /**
+ * Get cache TTL.
+ */
+ public int getCacheTTL() {
+ return cacheTTL;
+ }
+
+
/**
* Returns true if the internal naming support is used.
*/
@@ -3281,8 +3348,19 @@
try {
ProxyDirContext proxyDirContext =
new ProxyDirContext(env, webappResources);
+ if (webappResources instanceof FileDirContext) {
+ filesystemBased = true;
+ ((FileDirContext) webappResources).setCaseSensitive
+ (isCaseSensitive());
+ ((FileDirContext) webappResources).setAllowLinking
+ (isAllowLinking());
+ }
+
if (webappResources instanceof BaseDirContext) {
((BaseDirContext) webappResources).setDocBase(getBasePath());
+ ((BaseDirContext) webappResources).setCached
+ (isCachingAllowed());
+ ((BaseDirContext) webappResources).setCacheTTL(getCacheTTL());
((BaseDirContext) webappResources).allocate();
}
this.resources = proxyDirContext;
diff -Nur
jakarta-tomcat-4.1.31-src.orig/catalina/src/share/org/apache/catalina/mbeans/mbeans-descriptors.xml
jakarta-tomcat-4.1.31-src/catalina/src/share/org/apache/catalina/mbeans/mbeans-descriptors.xml
---
jakarta-tomcat-4.1.31-src.orig/catalina/src/share/org/apache/catalina/mbeans/mbeans-descriptors.xml
2004-09-25 19:44:19.000000000 +0300
+++
jakarta-tomcat-4.1.31-src/catalina/src/share/org/apache/catalina/mbeans/mbeans-descriptors.xml
2005-02-10 16:46:12.000000000 +0200
@@ -6,7 +6,7 @@
<!--
Descriptions of JMX MBeans for Catalina
- $Id: mbeans-descriptors.xml,v 1.82 2004/01/25 23:07:16 billbarker Exp $
+ $Id: mbeans-descriptors.xml,v 1.83 2004/11/19 20:52:02 markt Exp $
-->
<mbeans-descriptors>
@@ -2072,9 +2072,23 @@
group="Context"
type="org.apache.catalina.core.StandardContext">
- <attribute name="cookies"
- description="Should we attempt to use cookies for session id
- communication?"
+ <attribute name="allowLinking"
+ description="Allow symlinking to outside the webapp root directory,
if the webapp is an exploded directory"
+ is="true"
+ type="boolean"/>
+
+ <attribute name="cacheTTL"
+ description="Time interval in ms between cache refeshes"
+ type="int"/>
+
+ <attribute name="cachingAllowed"
+ description="Should we cache static resources for this webapp"
+ is="true"
+ type="boolean"/>
+
+ <attribute name="caseSensitive"
+ description="Should case sensitivity checks be performed"
+ is="true"
type="boolean"/>
<attribute name="cookies"
diff -Nur jakarta-tomcat-4.1.31-src.orig/webapps/tomcat-docs/config/context.xml
jakarta-tomcat-4.1.31-src/webapps/tomcat-docs/config/context.xml
--- jakarta-tomcat-4.1.31-src.orig/webapps/tomcat-docs/config/context.xml
2004-09-25 19:44:24.000000000 +0300
+++ jakarta-tomcat-4.1.31-src/webapps/tomcat-docs/config/context.xml
2005-02-10 17:03:37.000000000 +0200
@@ -169,12 +169,38 @@
<attributes>
+ <attribute name="allowLinking" required="false">
+ <p>If the value of this flag is <code>true</code>, symlinks will be
+ allowed inside the web application, pointing to resources outside the
+ web application base path. If not specified, the default value
+ of the flag is <code>false</code>.</p>
+ <p><b>NOTE: This flag MUST NOT be set to true on the Windows platform
+ (or any other OS which does not have a case sensitive filesystem),
+ as it will disable case sensitivity checks, allowing JSP source code
+ disclosure, among other security problems.</b></p>
+ </attribute>
+
+ <attribute name="cacheTTL" required="false">
+ <p>Amount of time in milliseconds between cache entries revalidation.
+ If not specified, the default value is <code>5000</code>
+ (5 seconds).</p>
+ </attribute>
+
<attribute name="cachingAllowed" required="false">
<p>This boolean flag indicates if the resources may be cached. It
defaults to <code>true</code>. If set to <code>false</code>, this
flag overrides the <em>cached</em> attribute of any contained
- <a href="resources.html">Resources</a>
- element.</p>
+ <a href="resources.html">Resources</a>
element.</p>
+ </attribute>
+
+ <attribute name="caseSensitive" required="false">
+ <p>If the value of this flag is <code>true</code>, all case sensitivity
+ checks will be disabled. If not
+ specified, the default value of the flag is <code>true</code>.</p>
+ <p><b>NOTE: This flag MUST NOT be set to false on the Windows platform
+ (or any other OS which does not have a case sensitive filesystem),
+ as it will disable case sensitivity checks, allowing JSP source code
+ disclosure, among other security problems.</b></p>
</attribute>
<attribute name="debug" required="false">
diff -Nur
jakarta-tomcat-4.1.31-src.orig/webapps/tomcat-docs/config/resources.xml
jakarta-tomcat-4.1.31-src/webapps/tomcat-docs/config/resources.xml
--- jakarta-tomcat-4.1.31-src.orig/webapps/tomcat-docs/config/resources.xml
2004-09-25 19:44:24.000000000 +0300
+++ jakarta-tomcat-4.1.31-src/webapps/tomcat-docs/config/resources.xml
2005-02-10 17:05:38.000000000 +0200
@@ -85,8 +85,8 @@
</attribute>
<attribute name="caseSensitive" required="false">
- <p>This boolean flag toggles case sensitivity for resourceson
- the Windows platform. Defaults to <code>true</code>.</p>
+ <p>This is the functional equivalent to the <em>caseSensitive</em>
+ of a <a href="context.html">Context</a>.</p>
</attribute>
<attribute name="docBase" required="false">
diff -Nur jakarta-tomcat-4.1.31-src.orig/catalina/src/share/org/apache/catalina/core/StandardContext.java jakarta-tomcat-4.1.31-src/catalina/src/share/org/apache/catalina/core/StandardContext.java
--- jakarta-tomcat-4.1.31-src.orig/catalina/src/share/org/apache/catalina/core/StandardContext.java 2004-09-25 19:44:19.000000000 +0300
+++ jakarta-tomcat-4.1.31-src/catalina/src/share/org/apache/catalina/core/StandardContext.java 2005-02-10 16:39:03.000000000 +0200
@@ -82,7 +82,7 @@
*
* @author Craig R. McClanahan
* @author Remy Maucherat
- * @version $Revision: 1.125 $ $Date: 2004/08/26 21:32:20 $
+ * @version $Revision: 1.126 $ $Date: 2004/11/19 20:52:02 $
*/
public class StandardContext
@@ -134,7 +134,6 @@
*/
private boolean available = false;
-
/**
* The Locale to character set mapper for this application.
*/
@@ -417,6 +416,24 @@
/**
+ * Case sensitivity.
+ */
+ protected boolean caseSensitive = true;
+
+
+ /**
+ * Allow linking.
+ */
+ protected boolean allowLinking = false;
+
+
+ /**
+ * Cache TTL in ms.
+ */
+ protected int cacheTTL = 5000;
+
+
+ /**
* Caching allowed flag.
*/
protected boolean cachingAllowed = true;
@@ -427,6 +444,7 @@
*/
protected DirContext webappResources = null;
+
// ----------------------------------------------------- Context Properties
@@ -447,6 +465,55 @@
}
+
+ /**
+ * Set case sensitivity.
+ */
+ public void setCaseSensitive(boolean caseSensitive) {
+ this.caseSensitive = caseSensitive;
+ }
+
+
+ /**
+ * Is case sensitive ?
+ */
+ public boolean isCaseSensitive() {
+ return caseSensitive;
+ }
+
+
+ /**
+ * Set allow linking.
+ */
+ public void setAllowLinking(boolean allowLinking) {
+ this.allowLinking = allowLinking;
+ }
+
+
+ /**
+ * Is linking allowed.
+ */
+ public boolean isAllowLinking() {
+ return allowLinking;
+ }
+
+
+ /**
+ * Set cache TTL.
+ */
+ public void setCacheTTL(int cacheTTL) {
+ this.cacheTTL = cacheTTL;
+ }
+
+
+ /**
+ * Get cache TTL.
+ */
+ public int getCacheTTL() {
+ return cacheTTL;
+ }
+
+
/**
* Returns true if the internal naming support is used.
*/
@@ -3281,8 +3348,19 @@
try {
ProxyDirContext proxyDirContext =
new ProxyDirContext(env, webappResources);
+ if (webappResources instanceof FileDirContext) {
+ filesystemBased = true;
+ ((FileDirContext) webappResources).setCaseSensitive
+ (isCaseSensitive());
+ ((FileDirContext) webappResources).setAllowLinking
+ (isAllowLinking());
+ }
+
if (webappResources instanceof BaseDirContext) {
((BaseDirContext) webappResources).setDocBase(getBasePath());
+ ((BaseDirContext) webappResources).setCached
+ (isCachingAllowed());
+ ((BaseDirContext) webappResources).setCacheTTL(getCacheTTL());
((BaseDirContext) webappResources).allocate();
}
this.resources = proxyDirContext;
diff -Nur jakarta-tomcat-4.1.31-src.orig/catalina/src/share/org/apache/catalina/mbeans/mbeans-descriptors.xml jakarta-tomcat-4.1.31-src/catalina/src/share/org/apache/catalina/mbeans/mbeans-descriptors.xml
--- jakarta-tomcat-4.1.31-src.orig/catalina/src/share/org/apache/catalina/mbeans/mbeans-descriptors.xml 2004-09-25 19:44:19.000000000 +0300
+++ jakarta-tomcat-4.1.31-src/catalina/src/share/org/apache/catalina/mbeans/mbeans-descriptors.xml 2005-02-10 16:46:12.000000000 +0200
@@ -6,7 +6,7 @@
<!--
Descriptions of JMX MBeans for Catalina
- $Id: mbeans-descriptors.xml,v 1.82 2004/01/25 23:07:16 billbarker Exp $
+ $Id: mbeans-descriptors.xml,v 1.83 2004/11/19 20:52:02 markt Exp $
-->
<mbeans-descriptors>
@@ -2072,9 +2072,23 @@
group="Context"
type="org.apache.catalina.core.StandardContext">
- <attribute name="cookies"
- description="Should we attempt to use cookies for session id
- communication?"
+ <attribute name="allowLinking"
+ description="Allow symlinking to outside the webapp root directory, if the webapp is an exploded directory"
+ is="true"
+ type="boolean"/>
+
+ <attribute name="cacheTTL"
+ description="Time interval in ms between cache refeshes"
+ type="int"/>
+
+ <attribute name="cachingAllowed"
+ description="Should we cache static resources for this webapp"
+ is="true"
+ type="boolean"/>
+
+ <attribute name="caseSensitive"
+ description="Should case sensitivity checks be performed"
+ is="true"
type="boolean"/>
<attribute name="cookies"
diff -Nur jakarta-tomcat-4.1.31-src.orig/webapps/tomcat-docs/config/context.xml jakarta-tomcat-4.1.31-src/webapps/tomcat-docs/config/context.xml
--- jakarta-tomcat-4.1.31-src.orig/webapps/tomcat-docs/config/context.xml 2004-09-25 19:44:24.000000000 +0300
+++ jakarta-tomcat-4.1.31-src/webapps/tomcat-docs/config/context.xml 2005-02-10 17:03:37.000000000 +0200
@@ -169,12 +169,38 @@
<attributes>
+ <attribute name="allowLinking" required="false">
+ <p>If the value of this flag is <code>true</code>, symlinks will be
+ allowed inside the web application, pointing to resources outside the
+ web application base path. If not specified, the default value
+ of the flag is <code>false</code>.</p>
+ <p><b>NOTE: This flag MUST NOT be set to true on the Windows platform
+ (or any other OS which does not have a case sensitive filesystem),
+ as it will disable case sensitivity checks, allowing JSP source code
+ disclosure, among other security problems.</b></p>
+ </attribute>
+
+ <attribute name="cacheTTL" required="false">
+ <p>Amount of time in milliseconds between cache entries revalidation.
+ If not specified, the default value is <code>5000</code>
+ (5 seconds).</p>
+ </attribute>
+
<attribute name="cachingAllowed" required="false">
<p>This boolean flag indicates if the resources may be cached. It
defaults to <code>true</code>. If set to <code>false</code>, this
flag overrides the <em>cached</em> attribute of any contained
- <a href="resources.html">Resources</a>
- element.</p>
+ <a href="resources.html">Resources</a>
element.</p>
+ </attribute>
+
+ <attribute name="caseSensitive" required="false">
+ <p>If the value of this flag is <code>true</code>, all case sensitivity
+ checks will be disabled. If not
+ specified, the default value of the flag is <code>true</code>.</p>
+ <p><b>NOTE: This flag MUST NOT be set to false on the Windows platform
+ (or any other OS which does not have a case sensitive filesystem),
+ as it will disable case sensitivity checks, allowing JSP source code
+ disclosure, among other security problems.</b></p>
</attribute>
<attribute name="debug" required="false">
diff -Nur jakarta-tomcat-4.1.31-src.orig/webapps/tomcat-docs/config/resources.xml jakarta-tomcat-4.1.31-src/webapps/tomcat-docs/config/resources.xml
--- jakarta-tomcat-4.1.31-src.orig/webapps/tomcat-docs/config/resources.xml 2004-09-25 19:44:24.000000000 +0300
+++ jakarta-tomcat-4.1.31-src/webapps/tomcat-docs/config/resources.xml 2005-02-10 17:05:38.000000000 +0200
@@ -85,8 +85,8 @@
</attribute>
<attribute name="caseSensitive" required="false">
- <p>This boolean flag toggles case sensitivity for resourceson
- the Windows platform. Defaults to <code>true</code>.</p>
+ <p>This is the functional equivalent to the <em>caseSensitive</em>
+ of a <a href="context.html">Context</a>.</p>
</attribute>
<attribute name="docBase" required="false">
--- End Message ---
--- Begin Message ---
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Tomcat4 has been removed from Debian.
Also, this bug was solved upstream, I suppose it's solved in tomcat5.5
- --
.''`.
: :' :rnaud
`. `'
`-
Java Trap: http://www.gnu.org/philosophy/java-trap.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFFBrtP4vzFZu62tMIRAl1aAJ0fpvurjia6xPy++HaXyzA6bP2QHQCeKyj/
96hQ2PCp7yvqx37Eu8FGJ68=
=K7wg
-----END PGP SIGNATURE-----
--- End Message ---
_______________________________________________
pkg-java-maintainers mailing list
[email protected]
http://lists.alioth.debian.org/mailman/listinfo/pkg-java-maintainers
