Hi all, As a side note, can we all try not to have a URL with something like “abc.exe” in?
Several firewall implementations will refuse to navigate there, even though we all know the intention is not to have it download. Trying to explain that to some people is more difficult than avoiding the problem. If it’s just for a small number of people you know and that won’t be a problem for them, then fine. We use: <servlet-mapping> <servlet-name>cgi</servlet-name> <url-pattern>/theApp.exe</url-pattern> </servlet-mapping> <welcome-file-list> <!-- Use theApp as the default application --> <welcome-file>theApp.exe</welcome-file> </welcome-file-list> This hides the “theApp.exe” from the browser so such firewalls never know / interfere. Thanks, Tim From: Mark Thomas <ma...@apache.org> Sent: 22 June 2022 10:56 To: users@tomcat.apache.org Subject: [External] Re: Apache Tomcat 8 - Require Tomcat configuration to restrict exe's from downloading On 22/06/2022 10:37, bharath Kumar wrote: > Hi team, > > Any help on this ? > > Further this exe(*abc.exe*) downloads when i hit on the url* > http://server_name/abc.exe/ <http://server_name/abc.exe/> * and is > happening only in *Tomcat *not with *IIS*. > > > Tomcat : > *http://<server_name:Port>/abc.exe* -- exe is not getting downloaded > *http://<server_name:Port>/abc.exe/* -- exe is getting downloaded on > the browser where we hit > > > IIS: > > *http://<server_name:Port>/abc.exe/ - No issue* > *http://<server_name:Port>/abc.exe - **No issue* > > > My Intention is not to download the abc.exe ... I have a CGI > application(abc.exe) that opens up my application > > > Below is my web.xml configuration: > > <servlet-mapping> > <servlet-name>abc</servlet-name> > <url-pattern>/abc.exe</url-pattern> > </servlet-mapping> Change the mapping to /abc.exe/* See section 12.2 of the Servlet specification for details. Mark > > > Can you please help how to stop downloading the CGI application( > *http://<server_name:Port>/abc.exe/* ) from being downloading (I am trying > to fix the CGI Vulnerability) > > Thanks, > Bharath > > On Mon, Jun 20, 2022 at 4:42 PM Thomas Hoffmann (Speed4Trade GmbH) > <thomas.hoffm...@speed4trade.com.invalid<mailto:thomas.hoffm...@speed4trade.com.invalid>> > wrote: > >> Hello, >> >> maybe this stackoverflow page helps already: >> >> https://stackoverflow.com/questions/9862746/restrict-allow-file-access-in-tomcat-based-on-file-extension-via-whitelist<https://stackoverflow.com/questions/9862746/restrict-allow-file-access-in-tomcat-based-on-file-extension-via-whitelist> >> >> Your snippet of the web.xml is just a configuration if an unknown servlet. >> If the corresponding servlet is custom, you need to get in touch with the >> developer. >> >> Greetings, >> Thomas >>