Bug#294707: tomcat4: Tomcat ignores "allowLinking" resource on restart (not reload) from manager
Sergey Sholokh
Sergey Sholokh <sergey@guard.kiev.ua>, 294707@bugs.debian.org
Fri Feb 11 02:24:07 2005
This is a multi-part MIME message sent by reportbug.
--===============1566447498==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Package: tomcat4
Version: 4.1.31-local-3
Severity: important
Tags: patch
Tomcat forgets "allowLinking" resource on restart from manager
interface.
Quick investigation has shown - during stop "allowLinking" resetting to
false and the system startup will fail.
I have found that bug in tomcat maillist
(http://issues.apache.org/bugzilla/show_bug.cgi?id=21818)
In HEAD that bug is fixed.
But in debian package not yet :-(
I have stolen a patch fron CVS and apply to source from debian package.
After install that package I had pass some test with restart
application from manager (I use log4j symlink in WEB-INF in my webapp). Its work fine.
-- System Information:
Debian Release: 3.1
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.10-dl380-g3.guard
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Versions of packages tomcat4 depends on:
ii adduser 3.59 Add and remove users and groups
ii apache2-common 2.0.52-3 Next generation, scalable, extenda
ii libtomcat4-java 4.1.31-local-3 Java Servlet engine -- core librar
ii sun-j2sdk1.5 [java-compil 1.5.0+update01 Java(TM) 2 SDK, Standard Edition,
ii sun-j2sdk1.5debian [java- 0.18 Debian specific parts of Java(TM)
-- no debconf information
The patch:
diff -Nur jakarta-tomcat-4.1.31-src.orig/catalina/src/share/org/apache/catalina/core/StandardContext.java jakarta-tomcat-4.1.31-src/catalina/src/share/org/apache/catalina/core/StandardContext.java
--- jakarta-tomcat-4.1.31-src.orig/catalina/src/share/org/apache/catalina/core/StandardContext.java 2004-09-25 19:44:19.000000000 +0300
+++ jakarta-tomcat-4.1.31-src/catalina/src/share/org/apache/catalina/core/StandardContext.java 2005-02-10 16:39:03.000000000 +0200
@@ -82,7 +82,7 @@
*
* @author Craig R. McClanahan
* @author Remy Maucherat
- * @version $Revision: 1.125 $ $Date: 2004/08/26 21:32:20 $
+ * @version $Revision: 1.126 $ $Date: 2004/11/19 20:52:02 $
*/
public class StandardContext
@@ -134,7 +134,6 @@
*/
private boolean available = false;
-
/**
* The Locale to character set mapper for this application.
*/
@@ -417,6 +416,24 @@
/**
+ * Case sensitivity.
+ */
+ protected boolean caseSensitive = true;
+
+
+ /**
+ * Allow linking.
+ */
+ protected boolean allowLinking = false;
+
+
+ /**
+ * Cache TTL in ms.
+ */
+ protected int cacheTTL = 5000;
+
+
+ /**
* Caching allowed flag.
*/
protected boolean cachingAllowed = true;
@@ -427,6 +444,7 @@
*/
protected DirContext webappResources = null;
+
// ----------------------------------------------------- Context Properties
@@ -447,6 +465,55 @@
}
+
+ /**
+ * Set case sensitivity.
+ */
+ public void setCaseSensitive(boolean caseSensitive) {
+ this.caseSensitive = caseSensitive;
+ }
+
+
+ /**
+ * Is case sensitive ?
+ */
+ public boolean isCaseSensitive() {
+ return caseSensitive;
+ }
+
+
+ /**
+ * Set allow linking.
+ */
+ public void setAllowLinking(boolean allowLinking) {
+ this.allowLinking = allowLinking;
+ }
+
+
+ /**
+ * Is linking allowed.
+ */
+ public boolean isAllowLinking() {
+ return allowLinking;
+ }
+
+
+ /**
+ * Set cache TTL.
+ */
+ public void setCacheTTL(int cacheTTL) {
+ this.cacheTTL = cacheTTL;
+ }
+
+
+ /**
+ * Get cache TTL.
+ */
+ public int getCacheTTL() {
+ return cacheTTL;
+ }
+
+
/**
* Returns true if the internal naming support is used.
*/
@@ -3281,8 +3348,19 @@
try {
ProxyDirContext proxyDirContext =
new ProxyDirContext(env, webappResources);
+ if (webappResources instanceof FileDirContext) {
+ filesystemBased = true;
+ ((FileDirContext) webappResources).setCaseSensitive
+ (isCaseSensitive());
+ ((FileDirContext) webappResources).setAllowLinking
+ (isAllowLinking());
+ }
+
if (webappResources instanceof BaseDirContext) {
((BaseDirContext) webappResources).setDocBase(getBasePath());
+ ((BaseDirContext) webappResources).setCached
+ (isCachingAllowed());
+ ((BaseDirContext) webappResources).setCacheTTL(getCacheTTL());
((BaseDirContext) webappResources).allocate();
}
this.resources = proxyDirContext;
diff -Nur jakarta-tomcat-4.1.31-src.orig/catalina/src/share/org/apache/catalina/mbeans/mbeans-descriptors.xml jakarta-tomcat-4.1.31-src/catalina/src/share/org/apache/catalina/mbeans/mbeans-descriptors.xml
--- jakarta-tomcat-4.1.31-src.orig/catalina/src/share/org/apache/catalina/mbeans/mbeans-descriptors.xml 2004-09-25 19:44:19.000000000 +0300
+++ jakarta-tomcat-4.1.31-src/catalina/src/share/org/apache/catalina/mbeans/mbeans-descriptors.xml 2005-02-10 16:46:12.000000000 +0200
@@ -6,7 +6,7 @@
<!--
Descriptions of JMX MBeans for Catalina
- $Id: mbeans-descriptors.xml,v 1.82 2004/01/25 23:07:16 billbarker Exp $
+ $Id: mbeans-descriptors.xml,v 1.83 2004/11/19 20:52:02 markt Exp $
-->
<mbeans-descriptors>
@@ -2072,9 +2072,23 @@
group="Context"
type="org.apache.catalina.core.StandardContext">
- <attribute name="cookies"
- description="Should we attempt to use cookies for session id
- communication?"
+ <attribute name="allowLinking"
+ description="Allow symlinking to outside the webapp root directory, if the webapp is an exploded directory"
+ is="true"
+ type="boolean"/>
+
+ <attribute name="cacheTTL"
+ description="Time interval in ms between cache refeshes"
+ type="int"/>
+
+ <attribute name="cachingAllowed"
+ description="Should we cache static resources for this webapp"
+ is="true"
+ type="boolean"/>
+
+ <attribute name="caseSensitive"
+ description="Should case sensitivity checks be performed"
+ is="true"
type="boolean"/>
<attribute name="cookies"
diff -Nur jakarta-tomcat-4.1.31-src.orig/webapps/tomcat-docs/config/context.xml jakarta-tomcat-4.1.31-src/webapps/tomcat-docs/config/context.xml
--- jakarta-tomcat-4.1.31-src.orig/webapps/tomcat-docs/config/context.xml 2004-09-25 19:44:24.000000000 +0300
+++ jakarta-tomcat-4.1.31-src/webapps/tomcat-docs/config/context.xml 2005-02-10 17:03:37.000000000 +0200
@@ -169,12 +169,38 @@
<attributes>
+ <attribute name="allowLinking" required="false">
+ <p>If the value of this flag is <code>true</code>, symlinks will be
+ allowed inside the web application, pointing to resources outside the
+ web application base path. If not specified, the default value
+ of the flag is <code>false</code>.</p>
+ <p><b>NOTE: This flag MUST NOT be set to true on the Windows platform
+ (or any other OS which does not have a case sensitive filesystem),
+ as it will disable case sensitivity checks, allowing JSP source code
+ disclosure, among other security problems.</b></p>
+ </attribute>
+
+ <attribute name="cacheTTL" required="false">
+ <p>Amount of time in milliseconds between cache entries revalidation.
+ If not specified, the default value is <code>5000</code>
+ (5 seconds).</p>
+ </attribute>
+
<attribute name="cachingAllowed" required="false">
<p>This boolean flag indicates if the resources may be cached. It
defaults to <code>true</code>. If set to <code>false</code>, this
flag overrides the <em>cached</em> attribute of any contained
- <a href="resources.html">Resources</a>
- element.</p>
+ <a href="resources.html">Resources</a>
element.</p>
+ </attribute>
+
+ <attribute name="caseSensitive" required="false">
+ <p>If the value of this flag is <code>true</code>, all case sensitivity
+ checks will be disabled. If not
+ specified, the default value of the flag is <code>true</code>.</p>
+ <p><b>NOTE: This flag MUST NOT be set to false on the Windows platform
+ (or any other OS which does not have a case sensitive filesystem),
+ as it will disable case sensitivity checks, allowing JSP source code
+ disclosure, among other security problems.</b></p>
</attribute>
<attribute name="debug" required="false">
diff -Nur jakarta-tomcat-4.1.31-src.orig/webapps/tomcat-docs/config/resources.xml jakarta-tomcat-4.1.31-src/webapps/tomcat-docs/config/resources.xml
--- jakarta-tomcat-4.1.31-src.orig/webapps/tomcat-docs/config/resources.xml 2004-09-25 19:44:24.000000000 +0300
+++ jakarta-tomcat-4.1.31-src/webapps/tomcat-docs/config/resources.xml 2005-02-10 17:05:38.000000000 +0200
@@ -85,8 +85,8 @@
</attribute>
<attribute name="caseSensitive" required="false">
- <p>This boolean flag toggles case sensitivity for resourceson
- the Windows platform. Defaults to <code>true</code>.</p>
+ <p>This is the functional equivalent to the <em>caseSensitive</em>
+ of a <a href="context.html">Context</a>.</p>
</attribute>
<attribute name="docBase" required="false">
--===============1566447498==
Content-Type: text/x-c++; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="stolen.diff"
diff -Nur jakarta-tomcat-4.1.31-src.orig/catalina/src/share/org/apache/catalina/core/StandardContext.java jakarta-tomcat-4.1.31-src/catalina/src/share/org/apache/catalina/core/StandardContext.java
--- jakarta-tomcat-4.1.31-src.orig/catalina/src/share/org/apache/catalina/core/StandardContext.java 2004-09-25 19:44:19.000000000 +0300
+++ jakarta-tomcat-4.1.31-src/catalina/src/share/org/apache/catalina/core/StandardContext.java 2005-02-10 16:39:03.000000000 +0200
@@ -82,7 +82,7 @@
*
* @author Craig R. McClanahan
* @author Remy Maucherat
- * @version $Revision: 1.125 $ $Date: 2004/08/26 21:32:20 $
+ * @version $Revision: 1.126 $ $Date: 2004/11/19 20:52:02 $
*/
public class StandardContext
@@ -134,7 +134,6 @@
*/
private boolean available = false;
-
/**
* The Locale to character set mapper for this application.
*/
@@ -417,6 +416,24 @@
/**
+ * Case sensitivity.
+ */
+ protected boolean caseSensitive = true;
+
+
+ /**
+ * Allow linking.
+ */
+ protected boolean allowLinking = false;
+
+
+ /**
+ * Cache TTL in ms.
+ */
+ protected int cacheTTL = 5000;
+
+
+ /**
* Caching allowed flag.
*/
protected boolean cachingAllowed = true;
@@ -427,6 +444,7 @@
*/
protected DirContext webappResources = null;
+
// ----------------------------------------------------- Context Properties
@@ -447,6 +465,55 @@
}
+
+ /**
+ * Set case sensitivity.
+ */
+ public void setCaseSensitive(boolean caseSensitive) {
+ this.caseSensitive = caseSensitive;
+ }
+
+
+ /**
+ * Is case sensitive ?
+ */
+ public boolean isCaseSensitive() {
+ return caseSensitive;
+ }
+
+
+ /**
+ * Set allow linking.
+ */
+ public void setAllowLinking(boolean allowLinking) {
+ this.allowLinking = allowLinking;
+ }
+
+
+ /**
+ * Is linking allowed.
+ */
+ public boolean isAllowLinking() {
+ return allowLinking;
+ }
+
+
+ /**
+ * Set cache TTL.
+ */
+ public void setCacheTTL(int cacheTTL) {
+ this.cacheTTL = cacheTTL;
+ }
+
+
+ /**
+ * Get cache TTL.
+ */
+ public int getCacheTTL() {
+ return cacheTTL;
+ }
+
+
/**
* Returns true if the internal naming support is used.
*/
@@ -3281,8 +3348,19 @@
try {
ProxyDirContext proxyDirContext =
new ProxyDirContext(env, webappResources);
+ if (webappResources instanceof FileDirContext) {
+ filesystemBased = true;
+ ((FileDirContext) webappResources).setCaseSensitive
+ (isCaseSensitive());
+ ((FileDirContext) webappResources).setAllowLinking
+ (isAllowLinking());
+ }
+
if (webappResources instanceof BaseDirContext) {
((BaseDirContext) webappResources).setDocBase(getBasePath());
+ ((BaseDirContext) webappResources).setCached
+ (isCachingAllowed());
+ ((BaseDirContext) webappResources).setCacheTTL(getCacheTTL());
((BaseDirContext) webappResources).allocate();
}
this.resources = proxyDirContext;
diff -Nur jakarta-tomcat-4.1.31-src.orig/catalina/src/share/org/apache/catalina/mbeans/mbeans-descriptors.xml jakarta-tomcat-4.1.31-src/catalina/src/share/org/apache/catalina/mbeans/mbeans-descriptors.xml
--- jakarta-tomcat-4.1.31-src.orig/catalina/src/share/org/apache/catalina/mbeans/mbeans-descriptors.xml 2004-09-25 19:44:19.000000000 +0300
+++ jakarta-tomcat-4.1.31-src/catalina/src/share/org/apache/catalina/mbeans/mbeans-descriptors.xml 2005-02-10 16:46:12.000000000 +0200
@@ -6,7 +6,7 @@
<!--
Descriptions of JMX MBeans for Catalina
- $Id: mbeans-descriptors.xml,v 1.82 2004/01/25 23:07:16 billbarker Exp $
+ $Id: mbeans-descriptors.xml,v 1.83 2004/11/19 20:52:02 markt Exp $
-->
<mbeans-descriptors>
@@ -2072,9 +2072,23 @@
group="Context"
type="org.apache.catalina.core.StandardContext">
- <attribute name="cookies"
- description="Should we attempt to use cookies for session id
- communication?"
+ <attribute name="allowLinking"
+ description="Allow symlinking to outside the webapp root directory, if the webapp is an exploded directory"
+ is="true"
+ type="boolean"/>
+
+ <attribute name="cacheTTL"
+ description="Time interval in ms between cache refeshes"
+ type="int"/>
+
+ <attribute name="cachingAllowed"
+ description="Should we cache static resources for this webapp"
+ is="true"
+ type="boolean"/>
+
+ <attribute name="caseSensitive"
+ description="Should case sensitivity checks be performed"
+ is="true"
type="boolean"/>
<attribute name="cookies"
diff -Nur jakarta-tomcat-4.1.31-src.orig/webapps/tomcat-docs/config/context.xml jakarta-tomcat-4.1.31-src/webapps/tomcat-docs/config/context.xml
--- jakarta-tomcat-4.1.31-src.orig/webapps/tomcat-docs/config/context.xml 2004-09-25 19:44:24.000000000 +0300
+++ jakarta-tomcat-4.1.31-src/webapps/tomcat-docs/config/context.xml 2005-02-10 17:03:37.000000000 +0200
@@ -169,12 +169,38 @@
<attributes>
+ <attribute name="allowLinking" required="false">
+ <p>If the value of this flag is <code>true</code>, symlinks will be
+ allowed inside the web application, pointing to resources outside the
+ web application base path. If not specified, the default value
+ of the flag is <code>false</code>.</p>
+ <p><b>NOTE: This flag MUST NOT be set to true on the Windows platform
+ (or any other OS which does not have a case sensitive filesystem),
+ as it will disable case sensitivity checks, allowing JSP source code
+ disclosure, among other security problems.</b></p>
+ </attribute>
+
+ <attribute name="cacheTTL" required="false">
+ <p>Amount of time in milliseconds between cache entries revalidation.
+ If not specified, the default value is <code>5000</code>
+ (5 seconds).</p>
+ </attribute>
+
<attribute name="cachingAllowed" required="false">
<p>This boolean flag indicates if the resources may be cached. It
defaults to <code>true</code>. If set to <code>false</code>, this
flag overrides the <em>cached</em> attribute of any contained
- <a href="resources.html">Resources</a>
- element.</p>
+ <a href="resources.html">Resources</a>
element.</p>
+ </attribute>
+
+ <attribute name="caseSensitive" required="false">
+ <p>If the value of this flag is <code>true</code>, all case sensitivity
+ checks will be disabled. If not
+ specified, the default value of the flag is <code>true</code>.</p>
+ <p><b>NOTE: This flag MUST NOT be set to false on the Windows platform
+ (or any other OS which does not have a case sensitive filesystem),
+ as it will disable case sensitivity checks, allowing JSP source code
+ disclosure, among other security problems.</b></p>
</attribute>
<attribute name="debug" required="false">
diff -Nur jakarta-tomcat-4.1.31-src.orig/webapps/tomcat-docs/config/resources.xml jakarta-tomcat-4.1.31-src/webapps/tomcat-docs/config/resources.xml
--- jakarta-tomcat-4.1.31-src.orig/webapps/tomcat-docs/config/resources.xml 2004-09-25 19:44:24.000000000 +0300
+++ jakarta-tomcat-4.1.31-src/webapps/tomcat-docs/config/resources.xml 2005-02-10 17:05:38.000000000 +0200
@@ -85,8 +85,8 @@
</attribute>
<attribute name="caseSensitive" required="false">
- <p>This boolean flag toggles case sensitivity for resourceson
- the Windows platform. Defaults to <code>true</code>.</p>
+ <p>This is the functional equivalent to the <em>caseSensitive</em>
+ of a <a href="context.html">Context</a>.</p>
</attribute>
<attribute name="docBase" required="false">
--===============1566447498==--