Re: CGI support servlet (TC 4) -- feedback wanted

[martin]

Craig R. McClanahan wrote:

 
 On Mon, 2 Apr 2001, Amy Roh wrote:
 
 
 Hi Martin,
 
 See comments below.
 
 Martin Dengler wrote:
 
 


[snip]


 1) Name, Package, and Inner Classes:
 
 Name:  Current name is CGIGatewayServlet.  The rationale is "this is the
 first name I thought of."  Would we prefer CGIInvokerServlet?
 
 
 I personally prefer CGIInvokerServlet than CGIGatewayServlet since
 CGIGatewayServlet sounds kind of redundant (because it is CGI(Common Gateway
 Interface) GatewayServlet.  This doesn't matter much though.
 
 
 
 I would be just as happy with CGIServlet (and SSIServlet for that
 matter).  But org.apache.catalina.servlets is definitely the right
 package.
 

Agreed with these and other comments I received on the redundancy point. 
  Both CGIServlet and CGIInvokerServlet sound good to me.  I can change 
it to CGIServlet and see how that works.

[snip]


 
 Inner Classes:  The CGIGatewayServlet.java file has one main class and
[...]
 
 BIG +1 for separating those inner classes and putting them in
 org.apache.catalina.util.cgi.  It will be a LOT easier to maintain.  I did this
 already for myself to review your code.  I can send them to you if you want to
 save a little time.  :-)
 
 
 
 +0 -- I'm not hung up on inner classes, but do not have any problem if
 others want them separated.
 

Hmm, yeah I thought people might generally find it slightly preferable. 
I'm generally +0, but sounds like it would be useful.

I will probably leave it a couple more days before I bring them out, 
just to get the various class responsibilities bedded down.  Especially 
the exec functionality (Bip and I are getting together on this for both 
SSI/CGI) would be reusable or at least easiest maintained outside as its 
own class(es).



 
 2) Addition to default context
 
 Would this CGI servlet be added to the default context similar to
 SsiInvokerServlet?
 
 Yes.
 
 
 
 I would suggest that we do this, but leave it commented out.  The reason
 is that the potential for mischief is *much* larger when we are talking
 about executing outside programs instead of just displaying content back
 to a web browser.  I vote for making the Tomcat sysadmin have to enable
 this feature explicitly if they want it.
 
 Once we implement the #exec functionality in SSI, the same argument would
 apply here -- unless we added a config option to disable the #exec by
 default but left everything else alone.
 
 An alternative (possibly additional) approach would be to tweak the
 security manager properties so that executing external programs is *not*
 allowed by default.  That way, we could leave these two servlets defined
 in the conf/web.xml file, but they won't be able to cause damage.


+1 on both counts.  Does that imply that for out-of-the-box Tomcat, 
maybe some CGI examples wouldn't work?  That's certainly not a bad 
thing, but it brings a couple of additional ideas to mind:
1) we leave the servlet in catalina's web.xml commented out and the 
security manager restrictive as suggested; or
2) As #1 above but also include the servlet definition  mapping in the 
examples webapp's web.xml, with the servlet smart enough to display a 
useful message if the security manager restricts access.  That way the 
servlet examples would produce meaningful behavior out-of-the-box, but 
the security restriction on running outside programs is still in place. 
  The admin would have to explicitly enable any such wild-and-crazy 
functionality.


 
 3) Providing Examples
 
 Would it be appropriate to provide some links in the examples webapp
 along with an example cgi script?  I would have thought so...
 
 YES.  In fact, could you send me some?
 
 
 
 Of course, such things are going to be platform-specific ... be sure to
 include examples for Windows as well as Unix platforms.
 

Good point, I guess I should provide:
1) Unix shell example (using #!/bin/sh)
2) Windows batch (*.bat)
3) Unix perl (using #!/usr/local/bin/perl, assume perl 4 only)
4) Windows perl (*.pl; would this alone work though??)



 5) Default location of cgi scripts
 
 In another project, we have put all cgi scripts under
 webapp/WEB-INF/cgi since they are then 1) not liable to be served by
 the container; yet 2) still encapsulated underneath the webapp's own
 directory structure.
 
 One observation and two issues here:
 
 Observation: the Servlet spec is obviously silent on CGI placement
 issues; yet we should probably support (and even default to?) something
 congruent with standard CGI practice of separating the HTML and CGI
 scripts (/doc-root and /cgi-bin) while not encouraging anything which
 breaks the Servlet API's web application filesystem (or war file)
 boundaries.
 
 Issue 1) generally, how do people like the webapp/WEB-INF/cgi solution
 in light of the above observation?
 
 +1
 
 
 
 One thing to keep in mind is that this won't work if the webapp is run
 directly from a WAR file unless you go to interesting lengths to extract
 these scripts from the WAR 

Re: CGI support servlet (TC 4) -- feedback wanted

[martin]

Amy,

Thanks for the feedback; see comments inline.

Martin

Amy Roh wrote:

 Hi Martin,
 
 See comments below.
 
 Martin Dengler wrote:
 

[snip]

 If so, would people prefer I do that myself and
 submit a load of file patches for the commit of the CGI servlet 
 related files which included the catalina web.xml?
 
 This is a minor issue adding a few lines to catalina web.xml.  I have done this
 already on my CVS tree.
 
 

Cool, I will include that as part of my submission.

 
 4) Providing Functional testing classes
 
 I was wondering if and how I should add any testing cgi scripts.  I have
 some (obviously :)), but should they be put into the tester area because
 they are for testing, or should I reuse some examples webapp (above
 issue #2) cgi scripts?  Any issues with this dependency?
 
 
 
 We can put them into tester area so we can run tester if/when we add/modify CGI
 feature.  Could you send me these scripts as well?

Right now they are basically the same scripts that I added to the 
examples webapp.  So, should I just duplicate the scripts so we have one 
set in tomcat-root/webapps/examples/WEB-INF/cgi-bin and one set in 
tomcat-root/tester/src/bin?  Or would the tester/src/bin/tester.xml 
simply have some targets which tested the output of some requests to 
http://server/examples/cgi-bin/cgitester.cgi, etc.?


 
 5) Default location of cgi scripts
 
 In another project, we have put all cgi scripts under
 webapp/WEB-INF/cgi since they are then 1) not liable to be served by
 the container; yet 2) still encapsulated underneath the webapp's own
 directory structure.
 
 One observation and two issues here:
 
 Observation: the Servlet spec is obviously silent on CGI placement
 issues; yet we should probably support (and even default to?) something
 congruent with standard CGI practice of separating the HTML and CGI
 scripts (/doc-root and /cgi-bin) while not encouraging anything which
 breaks the Servlet API's web application filesystem (or war file)
 boundaries.
 
 Issue 1) generally, how do people like the webapp/WEB-INF/cgi solution
 in light of the above observation?
 
 
 +1
 

Cool.



 Issue 2) if people like it, should we make it the default setting (by
 defining an init-parameter for the CGI servlet in the container-wide
 web.xml file)?
 
 
 I think we should designate a cgi directory where people can put CGI scripts for
 security reasons.

Yes, on a per-webapp level?

 
 Is the source code from  http://www.martindengler.com/proj/CGIGatewayServlet.zip
 the most updated one?
 

I have made some more updates which I have not posted yet.  Once I take 
into account your  others' suggestions, I will update that zip file.  I 
imagine I can make most of the changes tonight and re-package tomorrow, 
so hopefully a new one will be up soon.

 
 Amy
 



 
Thanks for all the feedback.

Martin

Re: CGI support servlet (TC 4) -- feedback wanted

[martin]

Mel Martinez wrote:

 --- Bip Thelin [EMAIL PROTECTED] wrote:
 

[snip]

 
 +1 on having CGI in web.xml but commented out,
 regarding SSI I suggest
 we add a configure property(like Apaches NoExec)
 that set's whether #exec is
 allowed or not. And if that property is not set it
 defaults to NoExec.
 
 So for a standard setup SSI would be allowed but
 you'd have to bug your
 Tomcat sysadmin to have the #exec option enabled.
 Sort of like a standard Apache setup.
 
  ..bip
 
 
 +1 on what Bip said.


Cool -- regardless of the security manager settings we decide on, I will 
submit with the web.xml entry commented out as requested.


 
 mel
 


Chrs,
Martin

RE: Tomcat 4.0-beta-2 Security Vulnerability

[GOMEZ Henri]

 I suggest that we create a revised version of beta
 2, clearly labelled so
 that people will know whether they have the
 corrected version or not --
 and we should do this immediately (like today) to
 minimize the number of
 people who end up downloading twice.
 
 I suggest we call the updated version "Tomcat
 4.0-beta-2-update-1" or
 something like that.
 
 Comments?  Votes?
 

I vote you just call it  "Tomcat-4.0-beta-3".  I don't
recall ever being told there were limits to the number
of betas one can produce.  :-)  I believe that a new
beta number is justified by any significant bug fix or
fixes and a security hole is definitely significant,
even if the code change may be tiny.

+1 for Tomcat-4.0-beta-3

And what about including in TC 4.0b3 my patches which
help build tc 4.0 on non standard distro, ie jsse.jar
not in JSSE_HOME/lib or jmxri.jar not in JMX_HOME/lib.

cvs commit: jakarta-tomcat/src/doc mod_jk-howto.html

[hgomez]

hgomez  01/04/02 23:47:34

  Modified:src/doc  mod_jk-howto.html
  Log:
  Correct documentation since in mod_jk warn log level didn't exist,
  use info instead (half-close BUG #332)
  Add info about JkLogStampFormat directive
  
  Revision  ChangesPath
  1.7   +11 -10jakarta-tomcat/src/doc/mod_jk-howto.html
  
  Index: mod_jk-howto.html
  ===
  RCS file: /home/cvs/jakarta-tomcat/src/doc/mod_jk-howto.html,v
  retrieving revision 1.6
  retrieving revision 1.7
  diff -u -r1.6 -r1.7
  --- mod_jk-howto.html 2001/03/15 16:23:12 1.6
  +++ mod_jk-howto.html 2001/04/03 06:47:33 1.7
  @@ -62,10 +62,8 @@
 ul
   lia href="#s61"mod_jk Binaries/a/li
   lia href="#s62"Building mod_jk/a/li
  -lia href="#s63"Building mod_jk
  -  for NT/a/li
  -lia href="#s64"Building mod_jk
  -  for Unix/a/li
  +lia href="#s63"Building mod_jk for NT/a/li
  +lia href="#s64"Building mod_jk for Unix/a/li
 /ul
   /li
   lia href="#s7"Configuring Apache/a
  @@ -77,8 +75,7 @@
   lia href="#s8"Configuring Tomcat/a
 ul
   lia href="#s81"Enabling Tomcat's Apache Auto-Config/a/li
  -lia href="#s82"Configuring Tomcat to use the
  -  AJPv13 Protocol/a/li
  +lia href="#s82"Configuring Tomcat to use the AJPv13 Protocol/a/li
   lia href="#s83"Defining Workers/a/li
 /ul
   /li
  @@ -509,9 +506,12 @@
Use mod_jk's ttJkWorkersFile/tt configuration directive./li
liYou should specify a location where mod_jk is going to place its log file
and a log level to be used. Use the ttJkLogFile/tt and ttJkLogLevel/tt
  - configuration directives. Possible log levels are idebug/i, iwarn/i,
  - ierror/i and iemerg/i, but iwarn/i should be your default
  + configuration directives. Possible log levels are idebug/i, iinfo/i,
  + ierror/i and iemerg/i, but iinfo/i should be your default
selection./li
  + liThe directive ttJkLogStampFormat/tt will configure the date/time format
  + found on mod_jk logfile. Using ttstrftime()/tt format string it's set by
  + default to "[%a %b %d %H:%M:%S %Y] "/li 
   /ul
   A simple example would be to include the following lines in your 
tthttpd.conf/tt file:
   blockquotepre
  @@ -519,7 +519,8 @@
   AddModule mod_jk.c
   JkWorkersFile /usr/local/jakarta-tomcat/conf/workers.properties
   JkLogFile /usr/local/apache/logs/mod_jk.log
  -JkLogLevelwarn
  +JkLogLevelinfo
  +JkLogStampFormat "[%a %b %d %H:%M:%S %Y] "
   /pre/blockquote
   /div
   
  @@ -739,7 +740,7 @@
   #
   JkWorkersFile /usr/local/jakarta-tomcat/conf/jk/workers.properties
   JkLogFile /usr/local/apache/logs/mod_jk.log
  -JkLogLevelwarn
  +JkLogLevelinfo
   
   # First Virtual Host.
   #
  
  
  

Tomcat 4.0-beta-3 Released (SECURITY VULNERABILITY)

[Craig R. McClanahan]

Tomcat 4.0-beta-3 is an update to the Tomcat 4.0-beta-2 distribution that
was released on 30 March 2001.  It fixes a further security vulnerability
related to potentially exposing JSP source that was only partially
corrected in beta 2.  Anyone using versions of Tomcat 4.0 earlier than the
beta 3 release (or the nightly build dated 20010403 or later) is strongly
encouraged to immediately update to the beta 3 release.

Craig McClanahan

context factories

[Torgeir Veimo]

I've read in a post by Remy with subject: "Re: ejb-ref ejb-link
Implementation in 4.0.b1",
http://w4.metronet.com/~wjm/tomcat/2001/Mar/msg00273.html that the only
two factories supported in tomcat right now is one for getting Tyrex
managed data sources  User Transactions.

I'm interested in getting a resource factory that I've created myself to
reuse jndi context's to an LDAP database that is used for authentication
 more.

I've created a ContextPool that handles this, and I want to retrieve
this with initCtx.lookup("java:comp/env/jndi/ContextPool");

How do I create and add the necessary resource factory? Should I modify
org.apache.naming.factroy.ResourceFactory.java ?

Any hints appreciated.


-- 
- Torgeir

Directory registering

[Zsolt Horvath]

Hi !

Anybody knows how to register a new directory under 
the TomCat ? Iam tried this in the /conf/server.xml but it doesnt 
work.

debugging tomcat's jndi provider

[Torgeir Veimo]

I need to look at the behaviour of the jndi provider inside tomcat.

Are there any tricks to debugging tomcat?

-- 
- Torgeir

Re: context factories

[Craig R. McClanahan]

On Tue, 3 Apr 2001, Torgeir Veimo wrote:

 I've read in a post by Remy with subject: "Re: ejb-ref ejb-link
 Implementation in 4.0.b1",
 http://w4.metronet.com/~wjm/tomcat/2001/Mar/msg00273.html that the only
 two factories supported in tomcat right now is one for getting Tyrex
 managed data sources  User Transactions.
 

This message is actually out of date now.  There are also default
factories to create javax.mail.Session and
javax.mail.internet.MimePartDataSource as well.

 I'm interested in getting a resource factory that I've created myself to
 reuse jndi context's to an LDAP database that is used for authentication
  more.
 
 I've created a ContextPool that handles this, and I want to retrieve
 this with initCtx.lookup("java:comp/env/jndi/ContextPool");
 
 How do I create and add the necessary resource factory? Should I modify
 org.apache.naming.factroy.ResourceFactory.java ?
 

If you don't mind specifying the resource factory class yourself, you
don't need to modify any code at all -- just configure it in server.xml
like this:

  Context path="/myapp" ... 
...
Resource name="jndi/ContextPool"
  type="com.mycompany.ContextPool"/
ResouceParams name="jndi/ContextPool"
  parameter
namefactory/name
valuecom.mycompany.ContextPoolFactory/value
  /parameter
  parameternamename/namevaluevalue/value/parameter
  ...
/ResourceParams
...
  /Context

where "com.mycompany.ContextPoolFactory" is a class that implements
javax.naming.spi.ObjectFactory.  You can use the existing factories as
examples of how such factories can access the declared resource parameters
and use them to configure the object itself.

 Any hints appreciated.
 
 
 -- 
 - Torgeir
 

Craig McClanahan

? on SSI virtual file

[Amy Roh]

(1) According to NCSA "virtual gives a virtual path to a document on the
server."  So no matter which context you're in, !--#include
virtual="/test.txt" -- should try to access "test.txt" on your server's
root, right?  Does virtual have to start with "/" always?  I would think
so.  If not, what should be the behavior if it doesn't start with "/",
context based?

(2) Also, NCSA states "file gives a pathname relative to the current
directory."  So obviously !--#include file="test.txt" -- should try to
access "test.txt" in your current directory.  What about "!--#include
file="/test.txt" --"?  Should that look for "test.txt" on your server
root or on webapp?

Amy

Re: ? on SSI virtual file

[Bip Thelin]

Amy Roh wrote:
 
 (1) According to NCSA "virtual gives a virtual path to a document on the
 server."  So no matter which context you're in, !--#include
 virtual="/test.txt" -- should try to access "test.txt" on your server's
 root, right?  Does virtual have to start with "/" always?  I would think
 so.  If not, what should be the behavior if it doesn't start with "/",
 context based?

snip
virtual gives a virtual path to a document on the server. You must access
a normal file this way, you cannot access a CGI script in this fashion.
You can, however, access another parsed document.
/snip

I would say that !--#include virtual="/test.txt" -- tries to access
test.txt in the server's root. However if you read the rfc on virtual
paths you can also use ., .., dir instead of starting with a / so
then the following examples would/should work:

!--#include file="file.txt" -- Which is a file in the current directory.
!--#include file="./file.txt" -- Which is a file in the current directory.
!--#include file="dir/file.txt" -- Which is a file in the "dir" directory
_above_ the current directory.
!--#include file="/file.txt" -- Which is a file on the servers root.
!--#include file="../file.txt" -- Which is a file in the dir _below_
the current directory.

 (2) Also, NCSA states "file gives a pathname relative to the current
 directory."  So obviously !--#include file="test.txt" -- should try to
 access "test.txt" in your current directory.  What about "!--#include
 file="/test.txt" --"?  Should that look for "test.txt" on your server
 root or on webapp?

snip
file gives a pathname relative to the current directory. ../ cannot be
used in this pathname, nor can absolute paths be used. As above, you can
send other parsed documents, but you cannot send CGI scripts. 
/snip

As i enterpret this you can _only_ access a file using the file command
in the following ways:

!--#include file="file.txt" -- Which is a file in the current directory.
!--#include file="dir/file.txt" -- Which is a file in the "dir" directory
_above_ the current directory.

!--#include file="/file.txt" -- Would fail.
!--#include file="../file.txt" -- Would fail.

And this is how it should be implemented right now.

..bip

Re: ? on SSI virtual file

[cmanolache]

On Tue, 3 Apr 2001, Amy Roh wrote:

 (1) According to NCSA "virtual gives a virtual path to a document on the
 server."  So no matter which context you're in, !--#include
 virtual="/test.txt" -- should try to access "test.txt" on your server's
 root, right?  Does virtual have to start with "/" always?  I would think
 so.  If not, what should be the behavior if it doesn't start with "/",
 context based?

If I remember this - "context based" is something specific to servlets
( 2.2 and after ), the /paths are allways relative to the server ( or
vhost ) root URI.

One tricky part is that /foo/bar.txt may not refer to the file 
ROOT/foo/bar.txt - it may be mapped by the server to a different location
( Location is similar with a servlet context - so it may be in context
foo, with a different docbase ). 

Apache is doing a re-mapping ( run_subreq ) to get to the right file ( the
relevant file is httpd-2.0/modules/filters/mod_include.c ). 

That mean you need to do use a request dispatcher or something equivalent 
to make sure the path is mapped ( and of course to play some games with
the URIs to match the servlet and http server semantics ).

I think the security rules are also applied during include - but you
should test that.


 (2) Also, NCSA states "file gives a pathname relative to the current
 directory."  So obviously !--#include file="test.txt" -- should try to
 access "test.txt" in your current directory.  What about "!--#include
 file="/test.txt" --"?  Should that look for "test.txt" on your server
 root or on webapp?

Again, distant memories - but include file was supposed to be the
"fast" version that doesn't do mapping/auth/etc - so it is limited to the
local directory ( and I think it didn't do security checks either ).

Sorry, I used SSI long ago ( I think it was a Cern server ), but I
still remember some pain :-)

Costin 

cvs commit: jakarta-tomcat-4.0/catalina/src/conf web.xml

[amyroh]

amyroh  01/04/03 15:07:10

  Modified:catalina/src/conf web.xml
  Log:
  Added "isVirtualWebappRelative" parameter to give an option that virtual paths can 
be webapp-relative.
  Defaults to false following NCSA.
  
  Revision  ChangesPath
  1.16  +5 -0  jakarta-tomcat-4.0/catalina/src/conf/web.xml
  
  Index: web.xml
  ===
  RCS file: /home/cvs/jakarta-tomcat-4.0/catalina/src/conf/web.xml,v
  retrieving revision 1.15
  retrieving revision 1.16
  diff -u -r1.15 -r1.16
  --- web.xml   2001/03/27 20:34:00 1.15
  +++ web.xml   2001/04/03 22:07:10 1.16
  @@ -77,6 +77,11 @@
 param-namebuffered/param-name
 param-value1/param-value
   /init-param
  +init-param
  +  !-- 0 == false; 1 == true --
  +  param-nameisVirtualWebappRelative/param-name
  +  param-value0/param-value
  +/init-param
   load-on-startup5/load-on-startup
 /servlet
   
  
  
  

cvs commit: jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/util/ssi SsiMediator.java

[amyroh]

amyroh  01/04/03 15:45:33

  Modified:catalina/src/share/org/apache/catalina/util/ssi
SsiMediator.java
  Log:
  Fixed virtual behavior to follow NCSA rules with a webapp-relative option.
  
  Revision  ChangesPath
  1.3   +48 -9 
jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/util/ssi/SsiMediator.java
  
  Index: SsiMediator.java
  ===
  RCS file: 
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/util/ssi/SsiMediator.java,v
  retrieving revision 1.2
  retrieving revision 1.3
  diff -u -r1.2 -r1.3
  --- SsiMediator.java  2001/04/02 21:14:29 1.2
  +++ SsiMediator.java  2001/04/03 22:45:33 1.3
  @@ -1,8 +1,8 @@
   /*
* SsiMediator.java
  - * $Header: 
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/util/ssi/SsiMediator.java,v
 1.2 2001/04/02 21:14:29 craigmcc Exp $
  - * $Revision: 1.2 $
  - * $Date: 2001/04/02 21:14:29 $
  + * $Header: 
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/util/ssi/SsiMediator.java,v
 1.3 2001/04/03 22:45:33 amyroh Exp $
  + * $Revision: 1.3 $
  + * $Date: 2001/04/03 22:45:33 $
*
* 
*
  @@ -85,7 +85,8 @@
   
   /**
* @author Bip Thelin
  - * @version $Revision: 1.2 $, $Date: 2001/04/02 21:14:29 $
  + * @author Amy Roh
  + * @version $Revision: 1.3 $, $Date: 2001/04/03 22:45:33 $
*
*/
   public class SsiMediator {
  @@ -106,12 +107,18 @@
   
   protected static ServletContext servletContext = null;
   
  +protected static ServletContext origServletContext = null;
  +
  +protected static String contextPath = null;
  +
   protected static String relpath = "/";
   
   protected static String path = new String();
   
   protected static int debug = 0;
   
  +protected static boolean isVirtualWebappRelative = false;
  +
   public SsiMediator() {}
   
   static {
  @@ -129,9 +136,10 @@
   OutputStream out,
   ServletContext servletContext,
   int debug,
  -String path) {
  +String path,
  +   boolean isVirtualWebappRelative) {
this.debug = debug;
  - flush(req, res, out, servletContext, path);
  + flush(req, res, out, servletContext, path, isVirtualWebappRelative);
   }
   
   public final SsiCommand getCommand(String cmd) {
  @@ -142,13 +150,17 @@
  HttpServletResponse res,
  OutputStream out,
  ServletContext servletContext,
  -   String path) {
  +   String path,
  +  boolean isVirtualWebappRelative) {
this.req = req;
this.res = res;
this.out = out;
this.servletContext = servletContext;
  +this.origServletContext = servletContext;
  +this.contextPath = req.getContextPath();
this.path = path;
this.relpath = path.substring(0, path.lastIndexOf("/")+1);
  +this.isVirtualWebappRelative = isVirtualWebappRelative;
int c=0;
   
serverVariables.put("AUTH_TYPE",
  @@ -295,6 +307,32 @@
normalized.substring(index + 3);
}
   
  +if (!isVirtualWebappRelative) {
  +// case of virtual="file.txt", "./file.txt", or dir/file.txt
  +if ((!path.startsWith("/")) || (path.startsWith("./"))) {
  +// handle as file in the current directory with original servletContext
  +servletContext = origServletContext;
  +}else if (path.indexOf("/", 1)==-1) {
  +//root context
  +servletContext = servletContext.getContext("/");
  +} else if (!contextPath.equals("")) {
  +//starts with the context path of this webapp
  +if ((normalized !=null)  (normalized.startsWith(contextPath))) {
  +// strip off the context path
  +servletContext = servletContext.getContext(contextPath);
  +normalized = normalized.substring(contextPath.length());
  +}
  +} else if (normalized != null){
  +// find which context is the right one to handle 
  +String context = normalized.substring(0, path.indexOf("/", 1));
  +ServletContext sc = servletContext.getContext(context);
  +if (sc!=null) {
  +servletContext = sc;
  +normalized = normalized.substring(context.length());
  +}
  +}
  +}
  +
return (normalized);
   }
   
  @@ -325,6 +363,8 @@
* normalized = RequestUtil.URLDecode(normalized, "UTF8");
*/
   
  + servletContext = origServletContext;
  +
   if (normalized == null)
   return (null);
   
  @@ -341,8 +381,7 @@

FW: Tomcat may reveal script source code by URL trickery 2

[Jon Stevens]

--
From: "Sverre H. Huseby" [EMAIL PROTECTED]
Reply-To: "Sverre H. Huseby" [EMAIL PROTECTED]
Date: Tue, 3 Apr 2001 10:25:26 +0200
To: [EMAIL PROTECTED]
Subject: Tomcat may reveal script source code by URL trickery 2

Meta comment


Ok, I know there has already been a report on this problem on Bugtraq,
but as I informed the Tomcat people before the CHINANSL advisory
appeared here, I want to brag about it anyway.  :)

Also, the Tomcat'ers have provided a fix as mentioned in this
advisory.



==

Tomcat may reveal script source code by URL trickery 2
--

Sverre H. Huseby security advisory #4, 2001-04-03



Systems affected


Tomcat 4.0-b2, which includes fixes for a similar bug.  Other versions
before 4.0-b3 may be vulnerable too.

The Tomcat team was notified on 2001-04-01, and they provided a fix on
2001-04-03.  Everybody should upgrade to at least Tomcat 4.0 beta 3.


Description
---

Tomcat (http://jakarta.apache.org/tomcat/), the Reference
Implementation for the Java Servlet 2.2 and JavaServer Pages 1.1
Technologies, may be tricked into revealing the source code of JSP
scripts by using simple URL encoding.


Details
---

It seems that the built in web server in affected versions of Tomcat
does URL decoding twice.  URLs like the following

  http://someplace.com:8080/index.js%2570

where %25 is an URL encoded '%', and 70 is the hexadecimal value for
'p', returns the source code of index.jsp rather than running the
script on the server side.

To speculate (read: guess): The JSP handler is skipped as this URL
does not end in ".jsp" (after URL decoding the first time), but the
static file handler is nevertheless able to map the URL into a correct
file name (doing URL decoding a second time).


Impact
--

This design error makes it possible to fetch the source code of JSP
scripts.  Such source code may contain database passwords and file
names, and may reveal design errors or programming bugs that make it
possible to further exploit the server or service.



Reported by Sverre H. Huseby, [EMAIL PROTECTED]

--
URL:mailto:[EMAIL PROTECTED]
URL:http://shh.thathost.com/

Re: CGI support servlet (TC 4) -- feedback wanted

[Amy Roh]

 Right now they are basically the same scripts that I added to the
 examples webapp.  So, should I just duplicate the scripts so we have one
 set in tomcat-root/webapps/examples/WEB-INF/cgi-bin and one set in
 tomcat-root/tester/src/bin?  Or would the tester/src/bin/tester.xml
 simply have some targets which tested the output of some requests to
 http://server/examples/cgi-bin/cgitester.cgi, etc.?


I think once the feature is fully implemented, we can work on a tester which tests
your scripts and add it to our set of tests.  So whenever the tester is ran, we can
display something like "CGI tests all PASSED" following the current tester style.



 
  5) Default location of cgi scripts
 
  In another project, we have put all cgi scripts under
  webapp/WEB-INF/cgi since they are then 1) not liable to be served by
  the container; yet 2) still encapsulated underneath the webapp's own
  directory structure.
 
  One observation and two issues here:
 
  Observation: the Servlet spec is obviously silent on CGI placement
  issues; yet we should probably support (and even default to?) something
  congruent with standard CGI practice of separating the HTML and CGI
  scripts (/doc-root and /cgi-bin) while not encouraging anything which
  breaks the Servlet API's web application filesystem (or war file)
  boundaries.
 
  Issue 1) generally, how do people like the webapp/WEB-INF/cgi solution
  in light of the above observation?
 
 
  +1
 

 Cool.

  Issue 2) if people like it, should we make it the default setting (by
  defining an init-parameter for the CGI servlet in the container-wide
  web.xml file)?
 
 
  I think we should designate a cgi directory where people can put CGI scripts for
  security reasons.

 Yes, on a per-webapp level?


I meant like an absolute directory like "cgi-bin" directory in file system.  But
there're options


 
  Is the source code from  http://www.martindengler.com/proj/CGIGatewayServlet.zip
  the most updated one?
 

 I have made some more updates which I have not posted yet.  Once I take
 into account your  others' suggestions, I will update that zip file.  I
 imagine I can make most of the changes tonight and re-package tomorrow,
 so hopefully a new one will be up soon.


Awesome.  Thanks!

Cheers,

Amy

[PATCH] bufferSize overflows in BodyContentImpl TC3.3M2

[William Barker]

The bufferSize variable in BodyContentImpl is declared as an int.  This
results in an integer overflow very quickly for even moderately big output.
(Think displaying the results of a SQL table as a HTML table).  I imagine
that the ultimate solution will be to declare it as a long, but in the mean
time...
*** BodyContentImpl.java.orig   Tue Apr  3 16:46:37 2001
--- BodyContentImpl.javaTue Apr  3 16:47:15 2001
***
*** 110,119 
  char[] tmp = null;

//XXX Should it be multiple of DEFAULT_BUFFER_SIZE??
!
if (len = Constants.DEFAULT_BUFFER_SIZE) {
tmp = new char [bufferSize + Constants.DEFAULT_BUFFER_SIZE];
!   bufferSize = bufferSize * 2;
} else {
tmp = new char [bufferSize + len];
bufferSize += len;
--- 110,119 
  char[] tmp = null;

//XXX Should it be multiple of DEFAULT_BUFFER_SIZE??
! len += Constants.DEFAULT_BUFFER_SIZE -
(len%Constants.DEFAULT_BUFFER_SIZE);
if (len = Constants.DEFAULT_BUFFER_SIZE) {
tmp = new char [bufferSize + Constants.DEFAULT_BUFFER_SIZE];
! bufferSize += Constants.DEFAULT_BUFFER_SIZE;
} else {
tmp = new char [bufferSize + len];
bufferSize += len;

Re: JNDI realm for Catalina

[Martin Smith]

This sounds excellent.  I appreciate the ability to specify which attribute to
match:  I plan to use "mail" in a current application.

I wonder if it wouldn't be useful to permit a principal or a credential to be an
attribute in the user's (subject's) own entry, e.g., "creditbalance." (For some
types of data, I wonder if it may be more efficient to maintain it "distributed"
in subjects' entries rather than in a possibly very large and dynamic attribute
list.)

(Perhaps it's obvious, but I'll mention that I'm a bit uncertain about the
distinction and appropriate practical uses of "principals" versus "credentials".
)

Does this model handle "dynamic" groups, by which I mean a reference to a
method/algorythm/formula computed at runtime, like "member of ou=myDepartment",
or "person entries with creditbalance  1" ?  I understand this can be
achieved by referring to an attribute that stores a URI that includes an LDAP
query string.

In any case, this authenticator is a very exciting contribution.

Martin

John Holman wrote:

 One of the action items in the Catalina status document is a JNDI realm.
 I've been working on this recently and wonder whether what I've done would
 be useful to the project - though I'm not sure how best to get involved.
 Incidentally, the status document lists James W as a volunteer for this
 item. I sent James a message a few days ago asking about progress but
 haven't received a response yet.

 Anyway, this is what I've done/plan to do. The current implementation
 follows the general pattern of the existing JDBCRealm. It is assumed that
 user and role information is held in a directory server. To authenticate the
 user, the directory is first searched for an entry with an attribute
 matching the given username. An attempt is then made to bind to the
 directory using the name of that entry and the password.

 A role is represented in the directory by an entry with an attribute whose
 values identify the users with that role, and optionally with an attribute
 whose value is the name of the role. In an LDAP directory a role entry might
 have a uniqueMember or member attribute to hold the distinguished names of
 the users. However other attribute types could be used, and the values could
 be usernames instead of DNs. In the current implementation, all the roles
 associated with a user are retrieved when the user is first authenticated
 and then cached in the Principal object.

 To accommodate the different ways that user and role information can be
 represented in the directory a number of configuration attributes are
 needed - though fortunately most can have defaults. Here is a possible set:

 connectionURL - the connection URL to be passed to the JNDI provider.
 Usually this will be an LDAP URL specifying the hostname and port of the
 directory server and optionally the name of the root naming context. This
 attribute is required. Example: ldap://ldap.acme.com:389

 contextFactory - the class name of the inital context factory to use.
 Default: com.sun.jndi.ldap.LdapCtxFactory

 userSearchBase - the name of the context (relative to the root context)
 within which to search for users.
 This attribute is required. Example: ou=people

 userNameAttribute - the name of the attribute whose value will be matched to
 the given username. Default: "uid"

 userSearchSubtree - if true the subtree starting at userSearchBase will be
 searched for a user with the given username. If false a one-level search is
 performed. Default: "false"

 roleSearchBase - the name of the context (relative to the root context)
 within which to search for roles. This attribute is required. Example:
 ou=groups

 roleMemberAttribute - the name of the attribute whose values identify the
 users with that role. Default: uniqueMember.

 roleNameAttribute - the name of the attribute whose value is the name of the
 role. If not specifed, a role name is constructed from the leftmost
 component of the name of the directory entry. (This will probably only work
 for LDAP-style distinguished names).

 roleSearchSubtree - if "true" the whole subtree starting at roleSearchBase
 is searched for roles. If "false" a one-level search is performed. Default:
 "false"

 roleValueIsDN - if "true" the values of the roleNameAttribute are the
 distinguished names of the users. If "false" they are usernames. Default:
 "true" [ not yet implemented - only DNs handled ]

 useSSL - whether to make an SSL connection to the directory server. Default:
 "false". [not yet implemented]

 connectionName - the dn to use when connecting to the directory server. If
 not specified an anonymous connection is used.  [ not yet implemented ]

 connectionPassword - the password to use when connecting to the directory
 server. If not specified an anonymous connection is used. [ not yet
 implemented ]

 I'd welcome any feedback.

 John.

cvs commit: jakarta-tomcat/src/share/org/apache/tomcat/util PrefixMapper.java

[costin]

costin  01/04/03 21:04:50

  Modified:src/share/org/apache/tomcat/util PrefixMapper.java
  Log:
  One bug in a previous fix, test host!=null.
  
  Revision  ChangesPath
  1.10  +8 -7  
jakarta-tomcat/src/share/org/apache/tomcat/util/PrefixMapper.java
  
  Index: PrefixMapper.java
  ===
  RCS file: 
/home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/util/PrefixMapper.java,v
  retrieving revision 1.9
  retrieving revision 1.10
  diff -u -r1.9 -r1.10
  --- PrefixMapper.java 2001/03/31 21:48:00 1.9
  +++ PrefixMapper.java 2001/04/04 04:04:49 1.10
  @@ -1,7 +1,7 @@
   /*
  - * $Header: 
/home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/util/PrefixMapper.java,v 1.9 
2001/03/31 21:48:00 costin Exp $
  - * $Revision: 1.9 $
  - * $Date: 2001/03/31 21:48:00 $
  + * $Header: 
/home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/util/PrefixMapper.java,v 1.10 
2001/04/04 04:04:49 costin Exp $
  + * $Revision: 1.10 $
  + * $Date: 2001/04/04 04:04:49 $
*
* 
*
  @@ -123,8 +123,8 @@
*/
   public void removeAllMappings( String host, String path ) {
PrefixMapper vmap=this;
  - host=host.toLowerCase();
if( host!=null ) {
  + host=host.toLowerCase();
vmap=(PrefixMapper)vhostMaps.get(host);
}

  @@ -207,10 +207,11 @@
   String s = path;
   
PrefixMapper myMap=null;
  - if( host!=null )
  + if( host!=null ) {
myMap=(PrefixMapper)vhostMaps.get( host );
  - if( myMap==null ) {
  - myMap=(PrefixMapper)vhostMaps.get( host.toLowerCase() );
  + if( myMap==null ) {
  + myMap=(PrefixMapper)vhostMaps.get( host.toLowerCase() );
  + }
}

if( myMap==null ) myMap = this; // default server