craigmcc 01/08/19 17:33:34
Modified: catalina/src/conf web.xml
catalina/src/share/org/apache/catalina Globals.java
catalina/src/share/org/apache/catalina/servlets
CGIServlet.java InvokerServlet.java
ManagerServlet.java
Log:
Make it not possible to use the "invoker" service to execute CGIServlet
when it is not mapped. (Same prohibition applies to ManagerServlet).
Remove default <servlet-mapping> for CGI servlet. User who want to enable
this, because they are porting existing legacy applications, must either
uncomment the entry in $CATALINA_HOME/conf/web.xml to make CGI service
available to all web apps, or add an explicit mapping to your own web.xml
file.
Revision Changes Path
1.18 +6 -2 jakarta-tomcat-4.0/catalina/src/conf/web.xml
Index: web.xml
===================================================================
RCS file: /home/cvs/jakarta-tomcat-4.0/catalina/src/conf/web.xml,v
retrieving revision 1.17
retrieving revision 1.18
diff -u -r1.17 -r1.18
--- web.xml 2001/06/01 00:18:37 1.17
+++ web.xml 2001/08/20 00:33:34 1.18
@@ -106,7 +106,9 @@
<param-name>cgiPathPrefix</param-name>
<param-value>WEB-INF/cgi</param-value>
</init-param>
+<!-- Uncomment this if you want CGIServlet loaded at startup time
<load-on-startup>6</load-on-startup>
+-->
</servlet>
<!-- The mapping for the default servlet -->
@@ -136,11 +138,13 @@
</servlet-mapping>
<!-- The mapping for the CGI Gateway servlet -->
- <!-- Comment this out if you do not want "CGI Gateway" service -->
+ <!-- Uncomment this if you want "CGI Gateway" service -->
+ <!--
<servlet-mapping>
<servlet-name>cgi</servlet-name>
- <url-pattern>/cgi-bin/*</url-pattern>
+ <url-pattern>/cgi-bin/*</url-pattern>
</servlet-mapping>
+ -->
<!-- Set the default session timeout (in seconds) -->
<session-config>
1.35 +13 -4
jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/Globals.java
Index: Globals.java
===================================================================
RCS file:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/Globals.java,v
retrieving revision 1.34
retrieving revision 1.35
diff -u -r1.34 -r1.35
--- Globals.java 2001/08/10 05:40:43 1.34
+++ Globals.java 2001/08/20 00:33:34 1.35
@@ -1,7 +1,7 @@
/*
- * $Header:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/Globals.java,v
1.34 2001/08/10 05:40:43 craigmcc Exp $
- * $Revision: 1.34 $
- * $Date: 2001/08/10 05:40:43 $
+ * $Header:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/Globals.java,v
1.35 2001/08/20 00:33:34 craigmcc Exp $
+ * $Revision: 1.35 $
+ * $Date: 2001/08/20 00:33:34 $
*
* ====================================================================
*
@@ -69,7 +69,7 @@
* Global constants that are applicable to multiple packages within Catalina.
*
* @author Craig R. McClanahan
- * @version $Revision: 1.34 $ $Date: 2001/08/10 05:40:43 $
+ * @version $Revision: 1.35 $ $Date: 2001/08/20 00:33:34 $
*/
public final class Globals {
@@ -156,6 +156,15 @@
*/
public static final String ERROR_MESSAGE_ATTR =
"javax.servlet.error.message";
+
+
+ /**
+ * The request attribute under which the Invoker servlet will store
+ * the invoking servlet path, if it was used to execute a servlet
+ * indirectly instead of through a servlet mapping.
+ */
+ public static final String INVOKED_ATTR =
+ "org.apache.ctalina.INVOKED";
/**
1.5 +22 -7
jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/servlets/CGIServlet.java
Index: CGIServlet.java
===================================================================
RCS file:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/servlets/CGIServlet.java,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
--- CGIServlet.java 2001/08/14 18:50:10 1.4
+++ CGIServlet.java 2001/08/20 00:33:34 1.5
@@ -1,6 +1,6 @@
/*
- * CGIServlet.java $Header:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/servlets/CGIServlet.java,v
1.4 2001/08/14 18:50:10 pier Exp $
- * $Revision: 1.4 $, $Date: 2001/08/14 18:50:10 $
+ * CGIServlet.java $Header:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/servlets/CGIServlet.java,v
1.5 2001/08/20 00:33:34 craigmcc Exp $
+ * $Revision: 1.5 $, $Date: 2001/08/20 00:33:34 $
*
* ====================================================================
*
@@ -87,12 +87,14 @@
import javax.servlet.ServletOutputStream;
import javax.servlet.ServletContext;
import javax.servlet.ServletConfig;
+import javax.servlet.UnavailableException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import javax.servlet.http.Cookie;
import org.apache.catalina.Context;
+import org.apache.catalina.Globals;
import org.apache.catalina.Wrapper;
// import org.apache.catalina.util.StringManager;
@@ -281,7 +283,7 @@
*
* @author Martin T Dengler [[EMAIL PROTECTED]]
* @author Amy Roh
- * @version $Revision: 1.4 $, $Date: 2001/08/14 18:50:10 $
+ * @version $Revision: 1.5 $, $Date: 2001/08/20 00:33:34 $
* @since Tomcat 4.0
*
*/
@@ -335,6 +337,14 @@
super.init(config);
+ // Verify that we were not accessed using the invoker servlet
+ String servletName = getServletConfig().getServletName();
+ if (servletName == null)
+ servletName = "";
+ if (servletName.startsWith("org.apache.catalina.INVOKER."))
+ throw new UnavailableException
+ ("Cannot invoke CGIServlet through the invoker");
+
// Set our properties from the initialization parameters
String value = null;
try {
@@ -604,6 +614,11 @@
protected void doGet(HttpServletRequest req, HttpServletResponse res)
throws ServletException, IOException {
+ // Verify that we were not accessed using the invoker servlet
+ if (req.getAttribute(Globals.INVOKED_ATTR) != null)
+ throw new UnavailableException
+ ("Cannot invoke CGIServlet through the invoker");
+
CGIEnvironment cgiEnv = new CGIEnvironment(req, getServletContext());
if (cgiEnv.isValid()) {
@@ -627,7 +642,7 @@
try {
ServletOutputStream out = res.getOutputStream();
out.println("<HTML><HEAD><TITLE>$Name: $</TITLE></HEAD>");
- out.println("<BODY>$Header:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/servlets/CGIServlet.java,v
1.4 2001/08/14 18:50:10 pier Exp $<p>");
+ out.println("<BODY>$Header:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/servlets/CGIServlet.java,v
1.5 2001/08/20 00:33:34 craigmcc Exp $<p>");
if (cgiEnv.isValid()) {
out.println(cgiEnv.toString());
@@ -669,7 +684,7 @@
/** For future testing use only; does nothing right now */
public static void main(String[] args) {
- System.out.println("$Header:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/servlets/CGIServlet.java,v
1.4 2001/08/14 18:50:10 pier Exp $");
+ System.out.println("$Header:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/servlets/CGIServlet.java,v
1.5 2001/08/20 00:33:34 craigmcc Exp $");
}
@@ -685,7 +700,7 @@
* </p>
*
* @author Martin Dengler [[EMAIL PROTECTED]]
- * @version $Revision: 1.4 $, $Date: 2001/08/14 18:50:10 $
+ * @version $Revision: 1.5 $, $Date: 2001/08/20 00:33:34 $
* @since Tomcat 4.0
*
*/
@@ -1307,7 +1322,7 @@
* </p>
*
* @author Martin Dengler [[EMAIL PROTECTED]]
- * @version $Revision: 1.4 $, $Date: 2001/08/14 18:50:10 $
+ * @version $Revision: 1.5 $, $Date: 2001/08/20 00:33:34 $
*/
protected class CGIRunner {
1.10 +23 -4
jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/servlets/InvokerServlet.java
Index: InvokerServlet.java
===================================================================
RCS file:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/servlets/InvokerServlet.java,v
retrieving revision 1.9
retrieving revision 1.10
diff -u -r1.9 -r1.10
--- InvokerServlet.java 2001/07/22 20:25:11 1.9
+++ InvokerServlet.java 2001/08/20 00:33:34 1.10
@@ -1,7 +1,7 @@
/*
- * $Header:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/servlets/InvokerServlet.java,v
1.9 2001/07/22 20:25:11 pier Exp $
- * $Revision: 1.9 $
- * $Date: 2001/07/22 20:25:11 $
+ * $Header:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/servlets/InvokerServlet.java,v
1.10 2001/08/20 00:33:34 craigmcc Exp $
+ * $Revision: 1.10 $
+ * $Date: 2001/08/20 00:33:34 $
*
* ====================================================================
*
@@ -87,7 +87,7 @@
* in the web application deployment descriptor.
*
* @author Craig R. McClanahan
- * @version $Revision: 1.9 $ $Date: 2001/07/22 20:25:11 $
+ * @version $Revision: 1.10 $ $Date: 2001/08/20 00:33:34 $
*/
public final class InvokerServlet
@@ -422,14 +422,18 @@
request.setAttribute(Globals.JSP_FILE_ATTR, jspFile);
else
request.removeAttribute(Globals.JSP_FILE_ATTR);
+ request.setAttribute(Globals.INVOKED_ATTR,
+ request.getServletPath());
// if (debug >= 2)
// log(" Calling service() method, jspFile=" +
// jspFile);
instance.service(wrequest, response);
+ request.removeAttribute(Globals.INVOKED_ATTR);
request.removeAttribute(Globals.JSP_FILE_ATTR);
} catch (IOException e) {
// if (debug >= 2)
// log(" service() method IOException", e);
+ request.removeAttribute(Globals.INVOKED_ATTR);
request.removeAttribute(Globals.JSP_FILE_ATTR);
try {
wrapper.deallocate(instance);
@@ -437,9 +441,22 @@
;
}
throw e;
+ } catch (UnavailableException e) {
+ // if (debug >= 2)
+ // log(" service() method UnavailableException", e);
+ context.removeServletMapping(pattern);
+ request.removeAttribute(Globals.INVOKED_ATTR);
+ request.removeAttribute(Globals.JSP_FILE_ATTR);
+ try {
+ wrapper.deallocate(instance);
+ } catch (Throwable f) {
+ ;
+ }
+ throw e;
} catch (ServletException e) {
// if (debug >= 2)
// log(" service() method ServletException", e);
+ request.removeAttribute(Globals.INVOKED_ATTR);
request.removeAttribute(Globals.JSP_FILE_ATTR);
try {
wrapper.deallocate(instance);
@@ -450,6 +467,7 @@
} catch (RuntimeException e) {
// if (debug >= 2)
// log(" service() method RuntimeException", e);
+ request.removeAttribute(Globals.INVOKED_ATTR);
request.removeAttribute(Globals.JSP_FILE_ATTR);
try {
wrapper.deallocate(instance);
@@ -460,6 +478,7 @@
} catch (Throwable e) {
// if (debug >= 2)
// log(" service() method Throwable", e);
+ request.removeAttribute(Globals.INVOKED_ATTR);
request.removeAttribute(Globals.JSP_FILE_ATTR);
try {
wrapper.deallocate(instance);
1.8 +10 -4
jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/servlets/ManagerServlet.java
Index: ManagerServlet.java
===================================================================
RCS file:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/servlets/ManagerServlet.java,v
retrieving revision 1.7
retrieving revision 1.8
diff -u -r1.7 -r1.8
--- ManagerServlet.java 2001/07/22 20:25:11 1.7
+++ ManagerServlet.java 2001/08/20 00:33:34 1.8
@@ -1,7 +1,7 @@
/*
- * $Header:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/servlets/ManagerServlet.java,v
1.7 2001/07/22 20:25:11 pier Exp $
- * $Revision: 1.7 $
- * $Date: 2001/07/22 20:25:11 $
+ * $Header:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/servlets/ManagerServlet.java,v
1.8 2001/08/20 00:33:34 craigmcc Exp $
+ * $Revision: 1.8 $
+ * $Date: 2001/08/20 00:33:34 $
*
* ====================================================================
*
@@ -77,6 +77,7 @@
import org.apache.catalina.ContainerServlet;
import org.apache.catalina.Context;
import org.apache.catalina.Deployer;
+import org.apache.catalina.Globals;
import org.apache.catalina.Session;
import org.apache.catalina.Wrapper;
import org.apache.catalina.util.StringManager;
@@ -152,7 +153,7 @@
* </ul>
*
* @author Craig R. McClanahan
- * @version $Revision: 1.7 $ $Date: 2001/07/22 20:25:11 $
+ * @version $Revision: 1.8 $ $Date: 2001/08/20 00:33:34 $
*/
public class ManagerServlet
@@ -252,6 +253,11 @@
public void doGet(HttpServletRequest request,
HttpServletResponse response)
throws IOException, ServletException {
+
+ // Verify that we were not accessed using the invoker servlet
+ if (request.getAttribute(Globals.INVOKED_ATTR) != null)
+ throw new UnavailableException
+ (sm.getString("managerServlet.cannotInvoke"));
// Identify the request parameters that we need
String command = request.getPathInfo();
