RE: [External] Re: Apache Tomcat 8 - Require Tomcat configuration to restrict exe's from downloading

Wed, 22 Jun 2022 03:12:07 -0700 

Hi all,

As a side note, can we all try not to have a URL with something like “abc.exe” 
in?

Several firewall implementations will refuse to navigate there, even though we 
all know the intention is not to have it download. Trying to explain that to 
some people is more difficult than avoiding the problem.

If it’s just for a small number of people you know and that won’t be a problem 
for them, then fine.

We use:
    <servlet-mapping>
        <servlet-name>cgi</servlet-name>
        <url-pattern>/theApp.exe</url-pattern>
    </servlet-mapping>

    <welcome-file-list>
        <!-- Use theApp as the default application -->
        <welcome-file>theApp.exe</welcome-file>
    </welcome-file-list>

This hides the “theApp.exe” from the browser so such firewalls never know / 
interfere.

Thanks,
Tim

From: Mark Thomas <ma...@apache.org>
Sent: 22 June 2022 10:56
To: users@tomcat.apache.org
Subject: [External] Re: Apache Tomcat 8 - Require Tomcat configuration to 
restrict exe's from downloading

On 22/06/2022 10:37, bharath Kumar wrote:
> Hi team,
>
> Any help on this ?
>
> Further this exe(*abc.exe*) downloads when i hit on the url*
> http://server_name/abc.exe/ <http://server_name/abc.exe/> * and is
> happening only in *Tomcat *not with *IIS*.
>
>
> Tomcat :
> *http://<server_name:Port>/abc.exe* -- exe is not getting downloaded
> *http://<server_name:Port>/abc.exe/* -- exe is getting downloaded on
> the browser where we hit
>
>
> IIS:
>
> *http://<server_name:Port>/abc.exe/ - No issue*
> *http://<server_name:Port>/abc.exe - **No issue*
>
>
> My Intention is not to download the abc.exe ... I have a CGI
> application(abc.exe) that opens up my application
>
>
> Below is my web.xml configuration:
>
> <servlet-mapping>
> <servlet-name>abc</servlet-name>
> <url-pattern>/abc.exe</url-pattern>
> </servlet-mapping>

Change the mapping to /abc.exe/*

See section 12.2 of the Servlet specification for details.

Mark


>
>
> Can you please help how to stop downloading the CGI application(
> *http://<server_name:Port>/abc.exe/* ) from being downloading (I am trying
> to fix the CGI Vulnerability)
>
> Thanks,
> Bharath
>
> On Mon, Jun 20, 2022 at 4:42 PM Thomas Hoffmann (Speed4Trade GmbH)
> <thomas.hoffm...@speed4trade.com.invalid<mailto:thomas.hoffm...@speed4trade.com.invalid>>
>  wrote:
>
>> Hello,
>>
>> maybe this stackoverflow page helps already:
>>
>> https://stackoverflow.com/questions/9862746/restrict-allow-file-access-in-tomcat-based-on-file-extension-via-whitelist<https://stackoverflow.com/questions/9862746/restrict-allow-file-access-in-tomcat-based-on-file-extension-via-whitelist>
>>
>> Your snippet of the web.xml is just a configuration if an unknown servlet.
>> If the corresponding servlet is custom, you need to get in touch with the
>> developer.
>>
>> Greetings,
>> Thomas
>>

Reply via email to