Package: tomcat4 Version: 4.1.31-local-3 Severity: important Tags: patch Tomcat forgets "allowLinking" resource on restart from manager interface. Quick investigation has shown - during stop "allowLinking" resetting to false and the system startup will fail. I have found that bug in tomcat maillist (http://issues.apache.org/bugzilla/show_bug.cgi?id=21818) In HEAD that bug is fixed. But in debian package not yet :-(
I have stolen a patch fron CVS and apply to source from debian package. After install that package I had pass some test with restart application from manager (I use log4j symlink in WEB-INF in my webapp). Its work fine. -- System Information: Debian Release: 3.1 APT prefers testing APT policy: (500, 'testing') Architecture: i386 (i686) Kernel: Linux 2.6.10-dl380-g3.guard Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Versions of packages tomcat4 depends on: ii adduser 3.59 Add and remove users and groups ii apache2-common 2.0.52-3 Next generation, scalable, extenda ii libtomcat4-java 4.1.31-local-3 Java Servlet engine -- core librar ii sun-j2sdk1.5 [java-compil 1.5.0+update01 Java(TM) 2 SDK, Standard Edition, ii sun-j2sdk1.5debian [java- 0.18 Debian specific parts of Java(TM) -- no debconf information The patch: diff -Nur jakarta-tomcat-4.1.31-src.orig/catalina/src/share/org/apache/catalina/core/StandardContext.java jakarta-tomcat-4.1.31-src/catalina/src/share/org/apache/catalina/core/StandardContext.java --- jakarta-tomcat-4.1.31-src.orig/catalina/src/share/org/apache/catalina/core/StandardContext.java 2004-09-25 19:44:19.000000000 +0300 +++ jakarta-tomcat-4.1.31-src/catalina/src/share/org/apache/catalina/core/StandardContext.java 2005-02-10 16:39:03.000000000 +0200 @@ -82,7 +82,7 @@ * * @author Craig R. McClanahan * @author Remy Maucherat - * @version $Revision: 1.125 $ $Date: 2004/08/26 21:32:20 $ + * @version $Revision: 1.126 $ $Date: 2004/11/19 20:52:02 $ */ public class StandardContext @@ -134,7 +134,6 @@ */ private boolean available = false; - /** * The Locale to character set mapper for this application. */ @@ -417,6 +416,24 @@ /** + * Case sensitivity. + */ + protected boolean caseSensitive = true; + + + /** + * Allow linking. + */ + protected boolean allowLinking = false; + + + /** + * Cache TTL in ms. + */ + protected int cacheTTL = 5000; + + + /** * Caching allowed flag. */ protected boolean cachingAllowed = true; @@ -427,6 +444,7 @@ */ protected DirContext webappResources = null; + // ----------------------------------------------------- Context Properties @@ -447,6 +465,55 @@ } + + /** + * Set case sensitivity. + */ + public void setCaseSensitive(boolean caseSensitive) { + this.caseSensitive = caseSensitive; + } + + + /** + * Is case sensitive ? + */ + public boolean isCaseSensitive() { + return caseSensitive; + } + + + /** + * Set allow linking. + */ + public void setAllowLinking(boolean allowLinking) { + this.allowLinking = allowLinking; + } + + + /** + * Is linking allowed. + */ + public boolean isAllowLinking() { + return allowLinking; + } + + + /** + * Set cache TTL. + */ + public void setCacheTTL(int cacheTTL) { + this.cacheTTL = cacheTTL; + } + + + /** + * Get cache TTL. + */ + public int getCacheTTL() { + return cacheTTL; + } + + /** * Returns true if the internal naming support is used. */ @@ -3281,8 +3348,19 @@ try { ProxyDirContext proxyDirContext = new ProxyDirContext(env, webappResources); + if (webappResources instanceof FileDirContext) { + filesystemBased = true; + ((FileDirContext) webappResources).setCaseSensitive + (isCaseSensitive()); + ((FileDirContext) webappResources).setAllowLinking + (isAllowLinking()); + } + if (webappResources instanceof BaseDirContext) { ((BaseDirContext) webappResources).setDocBase(getBasePath()); + ((BaseDirContext) webappResources).setCached + (isCachingAllowed()); + ((BaseDirContext) webappResources).setCacheTTL(getCacheTTL()); ((BaseDirContext) webappResources).allocate(); } this.resources = proxyDirContext; diff -Nur jakarta-tomcat-4.1.31-src.orig/catalina/src/share/org/apache/catalina/mbeans/mbeans-descriptors.xml jakarta-tomcat-4.1.31-src/catalina/src/share/org/apache/catalina/mbeans/mbeans-descriptors.xml --- jakarta-tomcat-4.1.31-src.orig/catalina/src/share/org/apache/catalina/mbeans/mbeans-descriptors.xml 2004-09-25 19:44:19.000000000 +0300 +++ jakarta-tomcat-4.1.31-src/catalina/src/share/org/apache/catalina/mbeans/mbeans-descriptors.xml 2005-02-10 16:46:12.000000000 +0200 @@ -6,7 +6,7 @@ <!-- Descriptions of JMX MBeans for Catalina - $Id: mbeans-descriptors.xml,v 1.82 2004/01/25 23:07:16 billbarker Exp $ + $Id: mbeans-descriptors.xml,v 1.83 2004/11/19 20:52:02 markt Exp $ --> <mbeans-descriptors> @@ -2072,9 +2072,23 @@ group="Context" type="org.apache.catalina.core.StandardContext"> - <attribute name="cookies" - description="Should we attempt to use cookies for session id - communication?" + <attribute name="allowLinking" + description="Allow symlinking to outside the webapp root directory, if the webapp is an exploded directory" + is="true" + type="boolean"/> + + <attribute name="cacheTTL" + description="Time interval in ms between cache refeshes" + type="int"/> + + <attribute name="cachingAllowed" + description="Should we cache static resources for this webapp" + is="true" + type="boolean"/> + + <attribute name="caseSensitive" + description="Should case sensitivity checks be performed" + is="true" type="boolean"/> <attribute name="cookies" diff -Nur jakarta-tomcat-4.1.31-src.orig/webapps/tomcat-docs/config/context.xml jakarta-tomcat-4.1.31-src/webapps/tomcat-docs/config/context.xml --- jakarta-tomcat-4.1.31-src.orig/webapps/tomcat-docs/config/context.xml 2004-09-25 19:44:24.000000000 +0300 +++ jakarta-tomcat-4.1.31-src/webapps/tomcat-docs/config/context.xml 2005-02-10 17:03:37.000000000 +0200 @@ -169,12 +169,38 @@ <attributes> + <attribute name="allowLinking" required="false"> + <p>If the value of this flag is <code>true</code>, symlinks will be + allowed inside the web application, pointing to resources outside the + web application base path. If not specified, the default value + of the flag is <code>false</code>.</p> + <p><b>NOTE: This flag MUST NOT be set to true on the Windows platform + (or any other OS which does not have a case sensitive filesystem), + as it will disable case sensitivity checks, allowing JSP source code + disclosure, among other security problems.</b></p> + </attribute> + + <attribute name="cacheTTL" required="false"> + <p>Amount of time in milliseconds between cache entries revalidation. + If not specified, the default value is <code>5000</code> + (5 seconds).</p> + </attribute> + <attribute name="cachingAllowed" required="false"> <p>This boolean flag indicates if the resources may be cached. It defaults to <code>true</code>. If set to <code>false</code>, this flag overrides the <em>cached</em> attribute of any contained - <a href="resources.html">Resources</a> - element.</p> + <a href="resources.html">Resources</a> element.</p> + </attribute> + + <attribute name="caseSensitive" required="false"> + <p>If the value of this flag is <code>true</code>, all case sensitivity + checks will be disabled. If not + specified, the default value of the flag is <code>true</code>.</p> + <p><b>NOTE: This flag MUST NOT be set to false on the Windows platform + (or any other OS which does not have a case sensitive filesystem), + as it will disable case sensitivity checks, allowing JSP source code + disclosure, among other security problems.</b></p> </attribute> <attribute name="debug" required="false"> diff -Nur jakarta-tomcat-4.1.31-src.orig/webapps/tomcat-docs/config/resources.xml jakarta-tomcat-4.1.31-src/webapps/tomcat-docs/config/resources.xml --- jakarta-tomcat-4.1.31-src.orig/webapps/tomcat-docs/config/resources.xml 2004-09-25 19:44:24.000000000 +0300 +++ jakarta-tomcat-4.1.31-src/webapps/tomcat-docs/config/resources.xml 2005-02-10 17:05:38.000000000 +0200 @@ -85,8 +85,8 @@ </attribute> <attribute name="caseSensitive" required="false"> - <p>This boolean flag toggles case sensitivity for resourceson - the Windows platform. Defaults to <code>true</code>.</p> + <p>This is the functional equivalent to the <em>caseSensitive</em> + of a <a href="context.html">Context</a>.</p> </attribute> <attribute name="docBase" required="false">
diff -Nur jakarta-tomcat-4.1.31-src.orig/catalina/src/share/org/apache/catalina/core/StandardContext.java jakarta-tomcat-4.1.31-src/catalina/src/share/org/apache/catalina/core/StandardContext.java --- jakarta-tomcat-4.1.31-src.orig/catalina/src/share/org/apache/catalina/core/StandardContext.java 2004-09-25 19:44:19.000000000 +0300 +++ jakarta-tomcat-4.1.31-src/catalina/src/share/org/apache/catalina/core/StandardContext.java 2005-02-10 16:39:03.000000000 +0200 @@ -82,7 +82,7 @@ * * @author Craig R. McClanahan * @author Remy Maucherat - * @version $Revision: 1.125 $ $Date: 2004/08/26 21:32:20 $ + * @version $Revision: 1.126 $ $Date: 2004/11/19 20:52:02 $ */ public class StandardContext @@ -134,7 +134,6 @@ */ private boolean available = false; - /** * The Locale to character set mapper for this application. */ @@ -417,6 +416,24 @@ /** + * Case sensitivity. + */ + protected boolean caseSensitive = true; + + + /** + * Allow linking. + */ + protected boolean allowLinking = false; + + + /** + * Cache TTL in ms. + */ + protected int cacheTTL = 5000; + + + /** * Caching allowed flag. */ protected boolean cachingAllowed = true; @@ -427,6 +444,7 @@ */ protected DirContext webappResources = null; + // ----------------------------------------------------- Context Properties @@ -447,6 +465,55 @@ } + + /** + * Set case sensitivity. + */ + public void setCaseSensitive(boolean caseSensitive) { + this.caseSensitive = caseSensitive; + } + + + /** + * Is case sensitive ? + */ + public boolean isCaseSensitive() { + return caseSensitive; + } + + + /** + * Set allow linking. + */ + public void setAllowLinking(boolean allowLinking) { + this.allowLinking = allowLinking; + } + + + /** + * Is linking allowed. + */ + public boolean isAllowLinking() { + return allowLinking; + } + + + /** + * Set cache TTL. + */ + public void setCacheTTL(int cacheTTL) { + this.cacheTTL = cacheTTL; + } + + + /** + * Get cache TTL. + */ + public int getCacheTTL() { + return cacheTTL; + } + + /** * Returns true if the internal naming support is used. */ @@ -3281,8 +3348,19 @@ try { ProxyDirContext proxyDirContext = new ProxyDirContext(env, webappResources); + if (webappResources instanceof FileDirContext) { + filesystemBased = true; + ((FileDirContext) webappResources).setCaseSensitive + (isCaseSensitive()); + ((FileDirContext) webappResources).setAllowLinking + (isAllowLinking()); + } + if (webappResources instanceof BaseDirContext) { ((BaseDirContext) webappResources).setDocBase(getBasePath()); + ((BaseDirContext) webappResources).setCached + (isCachingAllowed()); + ((BaseDirContext) webappResources).setCacheTTL(getCacheTTL()); ((BaseDirContext) webappResources).allocate(); } this.resources = proxyDirContext; diff -Nur jakarta-tomcat-4.1.31-src.orig/catalina/src/share/org/apache/catalina/mbeans/mbeans-descriptors.xml jakarta-tomcat-4.1.31-src/catalina/src/share/org/apache/catalina/mbeans/mbeans-descriptors.xml --- jakarta-tomcat-4.1.31-src.orig/catalina/src/share/org/apache/catalina/mbeans/mbeans-descriptors.xml 2004-09-25 19:44:19.000000000 +0300 +++ jakarta-tomcat-4.1.31-src/catalina/src/share/org/apache/catalina/mbeans/mbeans-descriptors.xml 2005-02-10 16:46:12.000000000 +0200 @@ -6,7 +6,7 @@ <!-- Descriptions of JMX MBeans for Catalina - $Id: mbeans-descriptors.xml,v 1.82 2004/01/25 23:07:16 billbarker Exp $ + $Id: mbeans-descriptors.xml,v 1.83 2004/11/19 20:52:02 markt Exp $ --> <mbeans-descriptors> @@ -2072,9 +2072,23 @@ group="Context" type="org.apache.catalina.core.StandardContext"> - <attribute name="cookies" - description="Should we attempt to use cookies for session id - communication?" + <attribute name="allowLinking" + description="Allow symlinking to outside the webapp root directory, if the webapp is an exploded directory" + is="true" + type="boolean"/> + + <attribute name="cacheTTL" + description="Time interval in ms between cache refeshes" + type="int"/> + + <attribute name="cachingAllowed" + description="Should we cache static resources for this webapp" + is="true" + type="boolean"/> + + <attribute name="caseSensitive" + description="Should case sensitivity checks be performed" + is="true" type="boolean"/> <attribute name="cookies" diff -Nur jakarta-tomcat-4.1.31-src.orig/webapps/tomcat-docs/config/context.xml jakarta-tomcat-4.1.31-src/webapps/tomcat-docs/config/context.xml --- jakarta-tomcat-4.1.31-src.orig/webapps/tomcat-docs/config/context.xml 2004-09-25 19:44:24.000000000 +0300 +++ jakarta-tomcat-4.1.31-src/webapps/tomcat-docs/config/context.xml 2005-02-10 17:03:37.000000000 +0200 @@ -169,12 +169,38 @@ <attributes> + <attribute name="allowLinking" required="false"> + <p>If the value of this flag is <code>true</code>, symlinks will be + allowed inside the web application, pointing to resources outside the + web application base path. If not specified, the default value + of the flag is <code>false</code>.</p> + <p><b>NOTE: This flag MUST NOT be set to true on the Windows platform + (or any other OS which does not have a case sensitive filesystem), + as it will disable case sensitivity checks, allowing JSP source code + disclosure, among other security problems.</b></p> + </attribute> + + <attribute name="cacheTTL" required="false"> + <p>Amount of time in milliseconds between cache entries revalidation. + If not specified, the default value is <code>5000</code> + (5 seconds).</p> + </attribute> + <attribute name="cachingAllowed" required="false"> <p>This boolean flag indicates if the resources may be cached. It defaults to <code>true</code>. If set to <code>false</code>, this flag overrides the <em>cached</em> attribute of any contained - <a href="resources.html">Resources</a> - element.</p> + <a href="resources.html">Resources</a> element.</p> + </attribute> + + <attribute name="caseSensitive" required="false"> + <p>If the value of this flag is <code>true</code>, all case sensitivity + checks will be disabled. If not + specified, the default value of the flag is <code>true</code>.</p> + <p><b>NOTE: This flag MUST NOT be set to false on the Windows platform + (or any other OS which does not have a case sensitive filesystem), + as it will disable case sensitivity checks, allowing JSP source code + disclosure, among other security problems.</b></p> </attribute> <attribute name="debug" required="false"> diff -Nur jakarta-tomcat-4.1.31-src.orig/webapps/tomcat-docs/config/resources.xml jakarta-tomcat-4.1.31-src/webapps/tomcat-docs/config/resources.xml --- jakarta-tomcat-4.1.31-src.orig/webapps/tomcat-docs/config/resources.xml 2004-09-25 19:44:24.000000000 +0300 +++ jakarta-tomcat-4.1.31-src/webapps/tomcat-docs/config/resources.xml 2005-02-10 17:05:38.000000000 +0200 @@ -85,8 +85,8 @@ </attribute> <attribute name="caseSensitive" required="false"> - <p>This boolean flag toggles case sensitivity for resourceson - the Windows platform. Defaults to <code>true</code>.</p> + <p>This is the functional equivalent to the <em>caseSensitive</em> + of a <a href="context.html">Context</a>.</p> </attribute> <attribute name="docBase" required="false">